Resubmissions
23/05/2023, 13:55
230523-q8krnsfe54 323/05/2023, 13:40
230523-qyzg3sgd21 823/05/2023, 13:38
230523-qxc8fsgd2w 823/05/2023, 12:40
230523-pwbskafc46 10Analysis
-
max time kernel
183s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23/05/2023, 13:40
General
-
Target
test.bat
-
Size
370B
-
MD5
1157be1803e2f740eec3a0c69aa44625
-
SHA1
5963efa7895a6748e74f0aeb94a3b3856787b8c5
-
SHA256
42c77f89ea1a298098ecf3e8939f6c5ccd005742d0482047ee26fbf56728c684
-
SHA512
04d698560789eb87f9fdbc32468557d05655558d289749f263fba4cdeb26b1cf83c214c316d60184856a935a9da757a62c361ca8e41804b59606a068a18f3899
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "10\.0\.19045\."2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "6\.1\."2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.0.2056736204\821991599" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1824 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63c9bbf8-61e8-420a-8e8d-16d212654d56} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 1908 2a43158f558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.1.766586661\735772375" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09e0490-0074-4c5e-bae4-2a85c848da12} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 2300 2a42356fb58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.2.2056841527\1776957664" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 2884 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c792c61b-391d-4e18-a6db-0164231de4e7} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 3236 2a43047aa58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.3.1301442357\1961470523" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3348 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f91791-b51f-4992-acb0-ced20cd9b366} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 3388 2a423567858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.4.207444684\1266318060" -childID 3 -isForBrowser -prefsHandle 3984 -prefMapHandle 3980 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88a3dd06-2156-4917-a156-6105a4e6651c} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 3996 2a423562258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.5.1707633278\253304053" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5180 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03c12521-1d81-4605-bd02-bbf683700c6c} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5196 2a4367e6258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.6.567375506\666785184" -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5156 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9874865-e88b-443e-ad41-17040aa5ef67} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5140 2a4367e3258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.7.2055394457\2122861424" -childID 6 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7cbeb0f-bd18-42aa-a738-b12b01f2ea9a} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5576 2a4367e4458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.8.1204187740\1042908683" -childID 7 -isForBrowser -prefsHandle 4712 -prefMapHandle 4780 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3959aacf-1089-4f92-bfbf-511929516f39} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5884 2a423564158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.9.1803232783\112964714" -childID 8 -isForBrowser -prefsHandle 5996 -prefMapHandle 5752 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0333a99e-38b0-402d-a007-5af6eaae0684} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 6004 2a437aa3258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.10.187050472\1329608314" -childID 9 -isForBrowser -prefsHandle 6112 -prefMapHandle 6180 -prefsLen 27114 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84058d42-a524-4c8d-ba53-261e4f22f25a} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 6160 2a4378e5358 tab3⤵
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ToolBox.bat3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.11.950369748\835762603" -childID 10 -isForBrowser -prefsHandle 5304 -prefMapHandle 4524 -prefsLen 27250 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f16e35b-812a-4e4e-a7c7-04a2212e51c6} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 7396 2a42352d858 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ToolBox.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
3KB
MD57c187faf65e2123ff6b8564cce3487f2
SHA135dae9d77ad9b2f5156c147c09f13b615f4fd0f6
SHA256081cb8eb4a4f1ce6577387ed6683c9f1f5e5e5bf9a0d48f13f5d7f5c0c400add
SHA5128adeb4412c987529368ab387b25aff6b2a5b5f550bead4c609f206d9d504e93fbb708ed8798e58f15349c06ed3a387a9e098ebcc7e14740aee750c654bc3264e
-
Filesize
156KB
MD5717f20668390491038aa4b9865ed1579
SHA19d598b21b4a2aa9f9253a3b4c7cccd5b99af6222
SHA256459b4865c2c96da8035aeb51517c45f28b4e4dcc974fff2f7fe73a327af9449d
SHA5127b04adf7f6f07eb758c6c93b8de0f3b7f9b61296cb2e86464dbbcb02fdefb96d65218165cba71570ab0a7f09f12d9e1186bb2b444270e74c65c96e83c9e2c144
-
Filesize
12KB
MD5cc0879c3749aa1b933b5f97f6cc2470c
SHA1e1c56d56b72e97802360ee9902d7e37c5e561b83
SHA2564b607c32ad870939acda466e270ba9477ae0aa90d205e814ca998c4fe0b9cac7
SHA51284474eb8de449aa22bc954fe3acb81faaff3cdde22ffcf23fb35663d0285c52097501ca064ae75914166a9fe63411e16bfa252eba8a21ed8287bafc453e709b8
-
Filesize
12KB
MD550e9f26e1f92c60f9a04fbd8370cc88f
SHA1e6dca0bdb9ac141bf939f51d4ece45b6352357ee
SHA256806ab0a29de90887765bedc352eacab85582b1942cb022a64aa8de7efb82c2cf
SHA512e3b3c5cd98f04c3e34f009e79ad6aa07d3afa5db61dd5b9c5894e785a5101e0516d9faa307cdb8e39322b7c58a6198e1761246f2fbaffb82532d5fd5839c0791
-
Filesize
54KB
MD5b0c1dc95b02c5446c56741ce641b4c74
SHA138e77ac0e638ad9566d9e5926c29d43645727a7f
SHA256b5f22e67916a9b66a4c7b6883cc2368bb806ad945fcb87e1636601f7e2706f52
SHA51225565bbb45363bf4a3c3b1d690e0ac09006a70da4599d882b46f44c2139b9a98610b6646db8272640bb40e578298a9ac481d16081b77756c800b86734203089c
-
Filesize
204B
MD50ddb39419f005923ee2777b95e3dd524
SHA15d02d5fd182fb4af1e5f5a4d22451fba746bd0b5
SHA2561ca1d94d8fd25f3189152ac0b077e7790e4aa3d0d4cb83d2db3b9ff32c74dfba
SHA512391fb21b18e4d67baf37c7a58aee52431f23085e902a44a9bf0a68aeeb7f8672ff04276ec1f8cd4c20a6d0092b9d8f1c37ae91c9df428f44ee978829f54421c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144B
MD58c0f180ab73114c09b8f0c734155294d
SHA16b7fb26e9d3d1c02d71d209d6b41c1b83c883894
SHA256c3e8ca81116eed0fa9f1557c8fe468352f9622fab6768e202c0a191366f9cffb
SHA512f3350701631e87cedae3d0dd55ee525a1e330478040cd230631e248d5bce7ddbec09bcd8e376f1d2aac839cea204d4479a6a8787d83322a26b24a562d446df8a
-
Filesize
6KB
MD5631ec908c69ae41dc35db9381cdadcbe
SHA169ca4fce7650b77f982ae6676fc3c4aa219ad546
SHA256332e1ce1bbb114d821d6b0b8cb8ad74f30d9afa012b5882ad70ddaeb29457bb7
SHA512f3492499be580129a83bd06f5353da63298ebe9431a5ee6981d45b21c6af85daf49043a4a3e5dfd206f5096867e6a8cc8c7371f083f1388fa54bf5f98f055f40
-
Filesize
6KB
MD51679938e9690d1e93a9b23a47010a01e
SHA1ab15f741c237c9799c2e9575b06d87e8c7e1e87e
SHA2568170b6b322fd61f4f3aa83227460dfff61bbe206bbaf88eb25252e0b0ba9fc6e
SHA512e94687fed7d1fd93af2582fc36fa0ca091f057ace5a33f494a8bcbdca36203a2074921ae8bace1947ff8d555ebb2b1c0ab38ee967d21dd6b260ccdfdae7dea83
-
Filesize
6KB
MD598b50a3f4f68b8047534a3eec83060cd
SHA16cf8b69ee640c0c7e03f085f43ca7c0e27bca407
SHA256b0008977c6a6b990745c7bcc99b4c3024c4732ca89a43be915269888ce2dfddf
SHA512d6cf0e122f3936f28a58f769478c85472152558380f9384759bed6fd80cdb1b12f7d435705a382d106a952a605430f6ba1e11eb6fade15cb9a2c97f59e8e54a1
-
Filesize
7KB
MD5b478c29c0dbf8f79117b27d5500888dd
SHA12b461923ad1f8bbdff6a6d036138379713c3b3c6
SHA256f4382b99e138b4eee68b7eb37e62ccb575c9c8d98351a962157f9d575e5afc31
SHA5129457159b223caf9d0eeb5bcf2d4448465533ee4507f69b1add2eac69599136f19e70e0d47d19b1591a301467dff21c60b015a963cf5c388f205e5b24946a58eb
-
Filesize
7KB
MD5c8316094af0d1f6622f8cda858becda8
SHA102cbc391c65832196d47cf5f58901d2eadd14e78
SHA25699338907c844abcdd85277448b92bd0eea89790035dff70387a7f502966a3745
SHA512ff7cc6fb208255e0c251415e35c2622d6984e54c48db8c6078461946e77c72a676a7dddcb4a1ba1e07fe56c3da3a9f1bfeb38a6ec0c68136165a7827b178f8d6
-
Filesize
6KB
MD51984b45f201f1fd79d2154406648433b
SHA142f082dc6d4d43333688690bf4dfa7c7f8b618ab
SHA256000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9
SHA512e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc
-
Filesize
259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
Filesize
1KB
MD5b2b14974cc6e256b553b56c102acfb1e
SHA1bdef0a445f925076c7894aa85774f67d5895acc7
SHA25611e2a4d859b780c625605fd345f6f2975912c8cf3ca01ac971f9ae05f210895a
SHA512c76f04c25040794fd4631cdd5ce8129f15b30357ad7d8aea40e536646c3e8f24d8567f3ad2650a1838b939c0f9d3e7a385cbfd3a12865a6005753f4094119689
-
Filesize
1KB
MD5edb4a06fb1fbfe51dc6eeebf46fd88c1
SHA17b95a9a288318b25342048ca72f37f47d02ac183
SHA256fba71a5b8b1b976e2c18f3e98f0c46f436fbb6ced69ad051202119d699be78c6
SHA512b9fbd6eff84d746a3e5967f55e6702a44278617a62b135117b70f41b5c08a6a1fb360e3d09b13faa266517b11d29f95b711eebd34acd8ce80c16cf140bdb0b8b
-
Filesize
25KB
MD55d3eb153a189da4ffd59a301c703d29f
SHA1b96a525a710abcbd3b623d96d0ae4fe5e3da23c7
SHA256c012b5dcc4ca1f896f886e35239006804555673ef1e169f5b185268968c02e76
SHA512248f5ba51eb3b8b724f6e553f35a65ae5e2ac35c20866c722fdf66e055b04280e2d51d256dca4d2f4ca2d6b05d6f9e6e3bb27ea34ab60f36d2e0f21f9b7855cf
-
Filesize
23KB
MD59702ccb0342d9da626d302bf72049c69
SHA1924dc3a99f756b19fe5330f8f44897139b831163
SHA2560383ff399f8a67e5be01cd46edac268cd04f952c659081c79fe32d9d8865e1f5
SHA5126734d98707617840a516fb8f9fce977f1ddcf701c9ab12a07243a05beac820f0a9ad0191dd9624d476fa2cd6fc795579008e7d8ae283044de161908cf5b1cdc6
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB