Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05/12/2023, 16:54
Static task
static1
Behavioral task
behavioral1
Sample
FADTQWERT.bat.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
FADTQWERT.bat.exe
Resource
win10v2004-20231201-en
General
-
Target
FADTQWERT.bat.exe
-
Size
1.0MB
-
MD5
c200bdcd9c827ad9c878f61a6e80b2ee
-
SHA1
730d6b83b8af8d7b6740020d0e44466c2192f6ee
-
SHA256
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
-
SHA512
a5dd81fe25aa643c94f5e098e17fc2ce9a929141ea3a470245986e3e5fb8d9da8c014f6649a70816f8d1338b043a09caea69193f627f8c1bf351becb8d76de43
-
SSDEEP
24576:KgCKtD/61Idz9KOXdI0YBt68T1U3FMztS5aV3+2rN87:X6Kzj+0YBt68+3FMKaO2h87
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2372 FADTQWERT.bat.exe 2616 powershell.exe 2724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2372 FADTQWERT.bat.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2616 2372 FADTQWERT.bat.exe 28 PID 2372 wrote to memory of 2616 2372 FADTQWERT.bat.exe 28 PID 2372 wrote to memory of 2616 2372 FADTQWERT.bat.exe 28 PID 2372 wrote to memory of 2616 2372 FADTQWERT.bat.exe 28 PID 2372 wrote to memory of 2724 2372 FADTQWERT.bat.exe 30 PID 2372 wrote to memory of 2724 2372 FADTQWERT.bat.exe 30 PID 2372 wrote to memory of 2724 2372 FADTQWERT.bat.exe 30 PID 2372 wrote to memory of 2724 2372 FADTQWERT.bat.exe 30 PID 2372 wrote to memory of 2628 2372 FADTQWERT.bat.exe 31 PID 2372 wrote to memory of 2628 2372 FADTQWERT.bat.exe 31 PID 2372 wrote to memory of 2628 2372 FADTQWERT.bat.exe 31 PID 2372 wrote to memory of 2628 2372 FADTQWERT.bat.exe 31 PID 2372 wrote to memory of 2484 2372 FADTQWERT.bat.exe 34 PID 2372 wrote to memory of 2484 2372 FADTQWERT.bat.exe 34 PID 2372 wrote to memory of 2484 2372 FADTQWERT.bat.exe 34 PID 2372 wrote to memory of 2484 2372 FADTQWERT.bat.exe 34 PID 2372 wrote to memory of 2492 2372 FADTQWERT.bat.exe 35 PID 2372 wrote to memory of 2492 2372 FADTQWERT.bat.exe 35 PID 2372 wrote to memory of 2492 2372 FADTQWERT.bat.exe 35 PID 2372 wrote to memory of 2492 2372 FADTQWERT.bat.exe 35 PID 2372 wrote to memory of 2516 2372 FADTQWERT.bat.exe 36 PID 2372 wrote to memory of 2516 2372 FADTQWERT.bat.exe 36 PID 2372 wrote to memory of 2516 2372 FADTQWERT.bat.exe 36 PID 2372 wrote to memory of 2516 2372 FADTQWERT.bat.exe 36 PID 2372 wrote to memory of 2540 2372 FADTQWERT.bat.exe 37 PID 2372 wrote to memory of 2540 2372 FADTQWERT.bat.exe 37 PID 2372 wrote to memory of 2540 2372 FADTQWERT.bat.exe 37 PID 2372 wrote to memory of 2540 2372 FADTQWERT.bat.exe 37 PID 2372 wrote to memory of 3016 2372 FADTQWERT.bat.exe 38 PID 2372 wrote to memory of 3016 2372 FADTQWERT.bat.exe 38 PID 2372 wrote to memory of 3016 2372 FADTQWERT.bat.exe 38 PID 2372 wrote to memory of 3016 2372 FADTQWERT.bat.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp899A.tmp"2⤵
- Creates scheduled task(s)
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"2⤵PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e26c9dbf42218c0a87338a6db4dbc72b
SHA1fe1066bcf7a6c642433d652d6a709088f7330fa6
SHA2562ee71bede5aa73ed771fa2ae4ea5766c093d3f57c5c48441a2e6f92c7fd81c6e
SHA51219c782f61e2178827adaa5b363ef8c08cf012611ec5a04a5c0043b56ad42d6de778188ab7a55396b47fa9a8410cda85036c1ff234cf549309719a847b5704bf2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5acdd4ad869d0c66556d0852baf386a5f
SHA14c62319ce57c3cac4c55b864f7407c3b9aed3511
SHA2568592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31
SHA512c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5acdd4ad869d0c66556d0852baf386a5f
SHA14c62319ce57c3cac4c55b864f7407c3b9aed3511
SHA2568592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31
SHA512c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a