Overview

overview

7

Static

static

1

calc.cmd

windows7-x64

7

calc.cmd

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2023, 09:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    calc.cmd

  • Size

    1KB

  • MD5

    8f27041298b50d88095b50462dbc4833

  • SHA1

    da7323c97e509f9311a2382310ad4876f5e3ee55

  • SHA256

    a760b01841a120eccc22856af1c9a8e513871366ef329502f42f9648708720ca

  • SHA512

    cd24b6c4397ad925ef83842b92109ca04e6d2eb87063ac594e1a33191fd9776318acb9d0acd96c819910eb46ad2f30403ffeabb4a2534cac64fe53ccd0f02d1f

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\calc.cmd"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\aec02d48-92f3-45a5-a003-051369b51928.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\aec02d48-92f3-45a5-a003-051369b51928.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4816
          • C:\Windows\system32\timeout.exe
            timeout 300
            4⤵
            • Delays execution with timeout.exe
            PID:3032
      • C:\Windows\system32\attrib.exe
        attrib -h -r /s
        2⤵
        • Views/modifies file attributes
        PID:4052
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM "news_week_6 .EXE"
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:916

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\aec02d48-92f3-45a5-a003-051369b51928.bat
            Filesize

            570B

            MD5

            42002b2920f999f12148e940a1d77135

            SHA1

            5d3f35102f291a285b2b0dceac013e68a3663cd0

            SHA256

            4793bedbb2fff22b0f559b200f99dce8c876b6470de331e8374d7a2559bf1b71

            SHA512

            7b833363fbe8e7f28f6f3df5833b8326f1bf9584ca2efb6df7eac532b5da0f6c2cd4e9f384641bf5080a760c4d51d624b18e37e64778b5d41f53d9786a03bffd

            Download Submit

          • C:\ProgramData\aec02d48-92f3-45a5-a003-051369b51928.vbs
            Filesize

            130B

            MD5

            5a6ff314c471a1d90271fcf060de25fe

            SHA1

            2094ba74920679a97aaf188decc02179dbd398cf

            SHA256

            a37140d97600573ace4fc31a9d289adcedb5c9cbfb92059b7184e46b635aaf57

            SHA512

            46fe1c925b08b83cbaba1ddc7cec0fbd7f0859c6abbee08c3fdf25f640564a18515c75ad1aad32553e90ef7a377e9c6a9e460d03c68a2badeb79e4bc5ea4c9e5

            Download Submit