Analysis
-
max time kernel
127s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
12-05-2023 12:42
Static task
static1
Behavioral task
behavioral1
Sample
moi.bat
Resource
win10-20230220-en
General
-
Target
moi.bat
-
Size
1B
-
MD5
0cc175b9c0f1b6a831c399e269772661
-
SHA1
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8
-
SHA256
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
-
SHA512
1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1e\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4944 WINWORD.EXE 4944 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4192 taskmgr.exe Token: SeSystemProfilePrivilege 4192 taskmgr.exe Token: SeCreateGlobalPrivilege 4192 taskmgr.exe Token: 33 4192 taskmgr.exe Token: SeIncBasePriorityPrivilege 4192 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
taskmgr.exepid process 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe 4192 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4944 WINWORD.EXE 4944 WINWORD.EXE 4944 WINWORD.EXE 4944 WINWORD.EXE 4944 WINWORD.EXE 4944 WINWORD.EXE 4944 WINWORD.EXE
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\moi.bat"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -s CryptSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
442B
MD575460c626cc6f16b07678e1edb4724bc
SHA1f5a800cc32294a0d31ae9e252827d80b2d49eea7
SHA256417700d868aad8d62c9f184b90b4b3d3a1ed2fa756ff42e1e5d5c556dc73f869
SHA512e6517f16d351f82bcd3cd8fd130412951ad7e8efa6ccd7f2501e30eb77f4462dd2c27e1497c6282d828c8bf96f9b57e7de80dd55c2ac6aef4798a8e6b6e713c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
224B
MD5e66d36cbcfd69fdf8db6e5c649137ef1
SHA1c1ce08cca33347fe58f95f78f61c31ac6501f511
SHA25615376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4
SHA51278a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc
-
memory/4152-303-0x000001E2C2590000-0x000001E2C25A0000-memory.dmpFilesize
64KB
-
memory/4152-297-0x000001E2C2500000-0x000001E2C2510000-memory.dmpFilesize
64KB
-
memory/4944-131-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-135-0x00007FFF81C10000-0x00007FFF81C20000-memory.dmpFilesize
64KB
-
memory/4944-134-0x00007FFF81C10000-0x00007FFF81C20000-memory.dmpFilesize
64KB
-
memory/4944-128-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-130-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-371-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-372-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-373-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-374-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB
-
memory/4944-129-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmpFilesize
64KB