Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2023, 16:54

General

  • Target

    FADTQWERT.bat.exe

  • Size

    1.0MB

  • MD5

    c200bdcd9c827ad9c878f61a6e80b2ee

  • SHA1

    730d6b83b8af8d7b6740020d0e44466c2192f6ee

  • SHA256

    fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd

  • SHA512

    a5dd81fe25aa643c94f5e098e17fc2ce9a929141ea3a470245986e3e5fb8d9da8c014f6649a70816f8d1338b043a09caea69193f627f8c1bf351becb8d76de43

  • SSDEEP

    24576:KgCKtD/61Idz9KOXdI0YBt68T1U3FMztS5aV3+2rN87:X6Kzj+0YBt68+3FMKaO2h87

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp899A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2628
    • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
      2⤵
        PID:2484
      • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
        "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
        2⤵
          PID:2492
        • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
          "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
          2⤵
            PID:2516
          • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
            "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
            2⤵
              PID:2540
            • C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
              "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"
              2⤵
                PID:3016

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp899A.tmp

                    Filesize

                    1KB

                    MD5

                    e26c9dbf42218c0a87338a6db4dbc72b

                    SHA1

                    fe1066bcf7a6c642433d652d6a709088f7330fa6

                    SHA256

                    2ee71bede5aa73ed771fa2ae4ea5766c093d3f57c5c48441a2e6f92c7fd81c6e

                    SHA512

                    19c782f61e2178827adaa5b363ef8c08cf012611ec5a04a5c0043b56ad42d6de778188ab7a55396b47fa9a8410cda85036c1ff234cf549309719a847b5704bf2

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    acdd4ad869d0c66556d0852baf386a5f

                    SHA1

                    4c62319ce57c3cac4c55b864f7407c3b9aed3511

                    SHA256

                    8592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31

                    SHA512

                    c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    acdd4ad869d0c66556d0852baf386a5f

                    SHA1

                    4c62319ce57c3cac4c55b864f7407c3b9aed3511

                    SHA256

                    8592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31

                    SHA512

                    c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a

                  • memory/2372-19-0x0000000074E00000-0x00000000754EE000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2372-0-0x0000000000190000-0x000000000029E000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2372-5-0x00000000003C0000-0x00000000003CA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2372-6-0x00000000052F0000-0x00000000053A8000-memory.dmp

                    Filesize

                    736KB

                  • memory/2372-3-0x0000000000380000-0x0000000000398000-memory.dmp

                    Filesize

                    96KB

                  • memory/2372-2-0x0000000004780000-0x00000000047C0000-memory.dmp

                    Filesize

                    256KB

                  • memory/2372-1-0x0000000074E00000-0x00000000754EE000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2372-4-0x00000000003B0000-0x00000000003B8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2616-20-0x000000006FCA0000-0x000000007024B000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/2616-26-0x000000006FCA0000-0x000000007024B000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/2616-22-0x0000000002700000-0x0000000002740000-memory.dmp

                    Filesize

                    256KB

                  • memory/2616-23-0x0000000002700000-0x0000000002740000-memory.dmp

                    Filesize

                    256KB

                  • memory/2616-24-0x0000000002700000-0x0000000002740000-memory.dmp

                    Filesize

                    256KB

                  • memory/2616-27-0x000000006FCA0000-0x000000007024B000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/2724-21-0x000000006FCA0000-0x000000007024B000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/2724-25-0x0000000002420000-0x0000000002460000-memory.dmp

                    Filesize

                    256KB

                  • memory/2724-28-0x000000006FCA0000-0x000000007024B000-memory.dmp

                    Filesize

                    5.7MB