1c678700f55baca404efd850f9874737deb30f6a8c23d6f42418ec242286683d

Analysis

max time kernel
61s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

4KB
MD5

cf10498bbc557f7bac00a7f20513effc
SHA1

68f208d57235e0cbebb8bd1415abccab00d392ca
SHA256

1c678700f55baca404efd850f9874737deb30f6a8c23d6f42418ec242286683d
SHA512

72a5eeffa36dcddd53a856aff766d19561deeb07ea50795b75ebbfdd3408dc1f08e8dfbc8f6ea9d20cb18467333252062edc90c5fe8e9e8a30ca4c2c4f6bc664
SSDEEP

48:qy/+4CumUZqkdlqdtK6wxxVvKUP9SSJO4lvTy/+4CumUZqkdlqdtK6wxxVvKUP9P:qy2nDclqdYxzJy2nDclqdYxzt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 772	1908	cmd.exe	85
PID 1908 wrote to memory of 772	1908	cmd.exe	85
PID 1908 wrote to memory of 772	1908	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\bsod.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bsod.hta

Filesize
1KB

MD5
cf9b7ab65c938b3dee1f3df89d615dcf

SHA1
ae9e038a015524b307588c9c4dfe02bcd94d6b86

SHA256
5254d4cbab2839f51390094d06e53749f6e1179e9851cecb6608798e1af34c65

SHA512
b6270408c87cbf2e69a6c23a61c305d81d3a6c8c5a6e6faf4aa31c03f6f631d28b62c1d26c5e7afe97adde5057dcddc877c3504b21cdb715da45992136cf7394

Download Submit