Overview

overview

4

Static

static

1

moi.bat

windows10-1703-x64

4

Analysis

  • max time kernel
    127s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-05-2023 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    moi.bat

  • Size

    1B

  • MD5

    0cc175b9c0f1b6a831c399e269772661

  • SHA1

    86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

  • SHA256

    ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

  • SHA512

    1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\moi.bat"
    1⤵
      PID:4744
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4192
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4944
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -s CryptSvc
      1⤵
      • Modifies data under HKEY_USERS
      PID:4152
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2692

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
        Filesize

        442B

        MD5

        75460c626cc6f16b07678e1edb4724bc

        SHA1

        f5a800cc32294a0d31ae9e252827d80b2d49eea7

        SHA256

        417700d868aad8d62c9f184b90b4b3d3a1ed2fa756ff42e1e5d5c556dc73f869

        SHA512

        e6517f16d351f82bcd3cd8fd130412951ad7e8efa6ccd7f2501e30eb77f4462dd2c27e1497c6282d828c8bf96f9b57e7de80dd55c2ac6aef4798a8e6b6e713c1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        224B

        MD5

        e66d36cbcfd69fdf8db6e5c649137ef1

        SHA1

        c1ce08cca33347fe58f95f78f61c31ac6501f511

        SHA256

        15376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4

        SHA512

        78a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc

        Download Submit
      • memory/4152-303-0x000001E2C2590000-0x000001E2C25A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4152-297-0x000001E2C2500000-0x000001E2C2510000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-131-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-135-0x00007FFF81C10000-0x00007FFF81C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-134-0x00007FFF81C10000-0x00007FFF81C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-128-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-130-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-371-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-372-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-373-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-374-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4944-129-0x00007FFF847C0000-0x00007FFF847D0000-memory.dmp
        Filesize

        64KB

        Download