Overview

overview

3

Static

static

3

WINPG_V4_2...32.dll

windows7-x64

1

WINPG_V4_2...32.dll

windows10-2004-x64

1

WINPG_V4_2...64.dll

windows7-x64

1

WINPG_V4_2...64.dll

windows10-2004-x64

1

WINPG_V4_2...32.exe

windows7-x64

1

WINPG_V4_2...32.exe

windows10-2004-x64

1

WINPG_V4_2...64.exe

windows7-x64

1

WINPG_V4_2...64.exe

windows10-2004-x64

1

WINPG_V4_2...de.bat

windows7-x64

1

WINPG_V4_2...de.bat

windows10-2004-x64

1

WINPG_V4_2...32.bat

windows7-x64

1

WINPG_V4_2...32.bat

windows10-2004-x64

1

WINPG_V4_2...BG.bat

windows7-x64

1

WINPG_V4_2...BG.bat

windows10-2004-x64

1

WINPG_V4_2...TL.bat

windows7-x64

1

WINPG_V4_2...TL.bat

windows10-2004-x64

1

WINPG_V4_2...64.bat

windows7-x64

1

WINPG_V4_2...64.bat

windows10-2004-x64

1

WINPG_V4_2...BG.bat

windows7-x64

1

WINPG_V4_2...BG.bat

windows10-2004-x64

1

WINPG_V4_2...TL.bat

windows7-x64

1

WINPG_V4_2...TL.bat

windows10-2004-x64

1

WINPG_V4_2...32.exe

windows10-2004-x64

1

WINPG_V4_2...64.exe

windows10-2004-x64

1

WINPG_V4_2...64.sys

windows7-x64

1

WINPG_V4_2...64.sys

windows10-2004-x64

1

WINPG_V4_2...86.sys

windows7-x64

1

WINPG_V4_2...86.sys

windows10-2004-x64

1

WINPG_V4_2...64.sys

windows10-2004-x64

1

WINPG_V4_2...86.sys

windows10-2004-x64

1

WINPG_V4_2...64.sys

windows10-2004-x64

1

WINPG_V4_2...86.sys

windows10-2004-x64

1

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WINPG_V4_279/WINPG32_DBG.bat

  • Size

    583B

  • MD5

    d33e91c2b096699ff2cf20ae35f2d441

  • SHA1

    93f9e0162e10f411b548fb898c52149265f94a7b

  • SHA256

    784760b7a09a1aacd36180d0f5e7081a9b53e59a49a70de3d7a2b8fbff25c69e

  • SHA512

    bc38562af5c39d9307c735f674fb86d4ca23304e985ddd7a5621a282177b6fc3435e4973f9f2f187cfea4a5184151851518dca6c10efdf6408e90600b37cdf6b

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\WINPG32_DBG.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\system32\net.exe
      net stop DashClientService
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop DashClientService
        3⤵
          PID:4540
      • C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\devcon32.exe
        devcon32.exe disable "PCI\VEN_10EC&DEV_8131" "PCI\VEN_10EC&DEV_8136" "PCI\VEN_10EC&DEV_8137" "PCI\VEN_10EC&DEV_8168" "PCI\VEN_10EC&DEV_8161" "PCI\VEN_10EC&DEV_8169" "PCI\VEN_10EC&DEV_8167" "PCI\VEN_10EC&DEV_8125" "PCI\VEN_10EC&DEV_8162" "PCI\VEN_10EC&DEV_8126"
        2⤵
        • Checks SCSI registry key(s)
        PID:1640
      • C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\RTNicPgW32.exe
        RTNicPgW32.exe /efuse /r /rtkdbg
        2⤵
          PID:4652
        • C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\devcon32.exe
          devcon32.exe rescan
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3272
        • C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\devcon32.exe
          devcon32.exe enable "PCI\VEN_10EC&DEV_8131" "PCI\VEN_10EC&DEV_8136" "PCI\VEN_10EC&DEV_8137" "PCI\VEN_10EC&DEV_8168" "PCI\VEN_10EC&DEV_8161" "PCI\VEN_10EC&DEV_8169" "PCI\VEN_10EC&DEV_8167" "PCI\VEN_10EC&DEV_8125" "PCI\VEN_10EC&DEV_8162" "PCI\VEN_10EC&DEV_8126"
          2⤵
          • Checks SCSI registry key(s)
          PID:3196
        • C:\Windows\system32\net.exe
          net start DashClientService
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:716
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 start DashClientService
            3⤵
              PID:2788
          • C:\Windows\system32\find.exe
            find 2.txt "Result = 0x0"
            2⤵
              PID:4140

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\WINPG_V4_279\2.txt
            Filesize

            890B

            MD5

            cd3368d2c62cde6ecffe24bbcb210ddf

            SHA1

            9457292b9da764c2c23fb3c32f510f0f0cf80b89

            SHA256

            a140fd8a8522095a9e55a2f1dcfbee8c70af6238910bf081f9b82b0bb55948aa

            SHA512

            3fdcbb27262743b814839c0c9c6c37e065c95fa4e3d50bda1d5600974f1c806338298e4954188ea401f47316a78641cc660d2ea9357c79604b05f6a91e4bc7d1

            Download Submit