1c678700f55baca404efd850f9874737deb30f6a8c23d6f42418ec242286683d

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

4KB
MD5

cf10498bbc557f7bac00a7f20513effc
SHA1

68f208d57235e0cbebb8bd1415abccab00d392ca
SHA256

1c678700f55baca404efd850f9874737deb30f6a8c23d6f42418ec242286683d
SHA512

72a5eeffa36dcddd53a856aff766d19561deeb07ea50795b75ebbfdd3408dc1f08e8dfbc8f6ea9d20cb18467333252062edc90c5fe8e9e8a30ca4c2c4f6bc664
SSDEEP

48:qy/+4CumUZqkdlqdtK6wxxVvKUP9SSJO4lvTy/+4CumUZqkdlqdtK6wxxVvKUP9P:qy2nDclqdYxzJy2nDclqdYxzt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
272	mshta.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 272	1156	cmd.exe	29
PID 1156 wrote to memory of 272	1156	cmd.exe	29
PID 1156 wrote to memory of 272	1156	cmd.exe	29
PID 1156 wrote to memory of 272	1156	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\bsod.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bsod.hta

Filesize
1KB

MD5
cf9b7ab65c938b3dee1f3df89d615dcf

SHA1
ae9e038a015524b307588c9c4dfe02bcd94d6b86

SHA256
5254d4cbab2839f51390094d06e53749f6e1179e9851cecb6608798e1af34c65

SHA512
b6270408c87cbf2e69a6c23a61c305d81d3a6c8c5a6e6faf4aa31c03f6f631d28b62c1d26c5e7afe97adde5057dcddc877c3504b21cdb715da45992136cf7394

Download Submit