Overview

overview

3

Static

static

1

12.bat

windows10-2004-x64

3

Resubmissions

20-05-2023 17:02

230520-vkggkadg24 10

20-05-2023 16:58

230520-vg8fwagc2z 3

20-05-2023 16:56

230520-vf35rsgb8s 6

Analysis

  • max time kernel
    196s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2023 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12.bat

  • Size

    49B

  • MD5

    354ee47d9b7f0877aaecd8db36e01468

  • SHA1

    9bd07f39a7b4980f4565c6a3a47f15d783707df0

  • SHA256

    6ae2b903b9e73ecac6542c15a01cfa044c06ff575b8f86e44e03140a35bea87f

  • SHA512

    20735574ef7634039d9de979e088193eb63d0682c602d2ecaa0296b72e5636de41b53a802d6ce205fc7334c7716c4add716de87205500c0384a55a5265a653f7

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\12.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Xhackerprog/XWorm
      2⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fffd7ea46f8,0x7fffd7ea4708,0x7fffd7ea4718
        3⤵
          PID:4028
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14434320143488534477,2026631710557404915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
          3⤵
            PID:5088
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14434320143488534477,2026631710557404915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3148
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14434320143488534477,2026631710557404915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
            3⤵
              PID:3788
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14434320143488534477,2026631710557404915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
              3⤵
                PID:2160
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14434320143488534477,2026631710557404915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1116 /prefetch:1
                3⤵
                  PID:3208
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:4700
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                2⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3880
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.0.1094552536\1846509089" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb9b6ce-e553-476f-b12a-a8d6cc13a202} 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 1916 1e00d216858 gpu
                  3⤵
                    PID:4208
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.1.1289450033\474815910" -parentBuildID 20221007134813 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa835f5-b063-482f-9222-7b2b4425cacd} 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 2320 1e00c10f558 socket
                    3⤵
                      PID:4980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.2.600807516\1011898786" -childID 1 -isForBrowser -prefsHandle 2716 -prefMapHandle 2692 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c51959-d016-494f-b6d1-d274f1ee9704} 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 1648 1e00fef4b58 tab
                      3⤵
                        PID:4824
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.3.1081644339\520896571" -childID 2 -isForBrowser -prefsHandle 2964 -prefMapHandle 2972 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1488 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72439fb0-a465-4947-98bc-51b64057b96a} 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 2724 1e00d218c58 tab
                        3⤵
                          PID:2368
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.4.2146604765\580846782" -parentBuildID 20221007134813 -prefsHandle 3044 -prefMapHandle 2608 -prefsLen 26784 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {105ad6ab-b269-4cd0-a5b3-e9d612907df6} 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 4112 1e010ef9158 gpu
                          3⤵
                            PID:4968
                      • C:\Windows\system32\taskmgr.exe
                        "C:\Windows\system32\taskmgr.exe" /4
                        1⤵
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1720
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4580
                        • C:\Windows\system32\werfault.exe
                          werfault.exe /h /shared Global\d0f2c1fb8d604c1c880adb55a225f9e7 /t 4564 /p 3880
                          1⤵
                            PID:3408
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                            1⤵
                              PID:3452
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                2⤵
                                • Checks processor information in registry
                                PID:1100
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.0.1292935439\1064433848" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232727 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb082582-7b18-424c-af43-b3350f9f0797} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 1920 2371225be58 gpu
                                  3⤵
                                    PID:4208

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                5a10efe23009825eadc90c37a38d9401

                                SHA1

                                fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

                                SHA256

                                05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

                                SHA512

                                89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                c1a3c45dc07f766430f7feaa3000fb18

                                SHA1

                                698a0485bcf0ab2a9283d4ebd31ade980b0661d1

                                SHA256

                                adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

                                SHA512

                                9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                Filesize

                                70KB

                                MD5

                                e5e3377341056643b0494b6842c0b544

                                SHA1

                                d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                SHA256

                                e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                SHA512

                                83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                111B

                                MD5

                                285252a2f6327d41eab203dc2f402c67

                                SHA1

                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                SHA256

                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                SHA512

                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                3KB

                                MD5

                                f7cdfec9c04e739bc6cb84f0c01b1a00

                                SHA1

                                57384197cf8f411138fc7d0b1715e6c328e91ae2

                                SHA256

                                1048e6fe74ecad9a78854b73f6663cb4e902cbe6b510633857d70d32fbc0d874

                                SHA512

                                f9e97ac0edf8e4faee2ff90ea846d7e5e3627dc0afe84faa8156ee7813c38c41e01960b9b0ead8c892351f99005a645df7f6566eef3299980344d653ddb32ec2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                3KB

                                MD5

                                9fd064fe29366201ee0c86cdc3315540

                                SHA1

                                1dfaca2429e79fd40da0ed7140d819bac4820924

                                SHA256

                                a97df1fe32900f70691a52ca78aa0185a91bff434ed89316105c564f95861460

                                SHA512

                                71307df511ed904d192a239debf64d2c0facc7745a8e7c573f3eeb6a7a13c1fd10107a8535583f5f3d09e44e4e736e5eb43c2fc08bb807f96d4efd76bb26eab4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                3KB

                                MD5

                                7070b0c0ee3880f7e9fe9da1b9db138f

                                SHA1

                                dee4d063b6b433ae84b78f99846613a69ab1aad1

                                SHA256

                                412c60b5df62e5797456b82c54b5bdc4d51b9922982c36ab87e50dfed35672ba

                                SHA512

                                070f683e996c7fd8d375396be297f1cef89ede87c9eafd05e225ad270d3646657789dab99037eec4bfdfb2f5493056873995f33bdcc44950ec367264a7bb6fe0

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                fcd5f37e5e4066f7cffe8eb106b6ce19

                                SHA1

                                b0a1c4d3d5c96271429fb09cb71055d177c13402

                                SHA256

                                38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

                                SHA512

                                afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                fcd5f37e5e4066f7cffe8eb106b6ce19

                                SHA1

                                b0a1c4d3d5c96271429fb09cb71055d177c13402

                                SHA256

                                38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

                                SHA512

                                afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json
                                Filesize

                                53B

                                MD5

                                ea8b62857dfdbd3d0be7d7e4a954ec9a

                                SHA1

                                b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                SHA256

                                792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                SHA512

                                076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json.tmp
                                Filesize

                                53B

                                MD5

                                ea8b62857dfdbd3d0be7d7e4a954ec9a

                                SHA1

                                b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                SHA256

                                792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                SHA512

                                076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionCheckpoints.json.tmp
                                Filesize

                                53B

                                MD5

                                ea8b62857dfdbd3d0be7d7e4a954ec9a

                                SHA1

                                b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

                                SHA256

                                792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

                                SHA512

                                076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

                                Download Submit

                              • memory/1720-162-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-210-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-209-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-212-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-211-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-213-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-207-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-208-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-166-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1720-161-0x000002A6B0990000-0x000002A6B0991000-memory.dmp

                                Filesize

                                4KB

                                Download