Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2023 11:00
Static task
static1
Behavioral task
behavioral1
Sample
choice.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
choice.bat
-
Size
1KB
-
MD5
45a89332448da85857debaa797e767c2
-
SHA1
41d6ab8bbe5fe0f79796904a7d01d8a7a7118abb
-
SHA256
dd69522ed1d7535cc057563984a0adc9417da7d1993b4f27cadfe3482ca26bdb
-
SHA512
bb7b349515a826b2f7f61aff376186ba500981141d8e6a884e3b209cece36f837cf84372389175df9c0cbde2be150c18ce543323aa25644de268045f1b4dc802
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2398549320-3657759451-817663969-1000\desktop.ini attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI attrib.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll attrib.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.CoreLib.dll attrib.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerBackgroundTasks.dll attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050 attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\895CFB3E-7D91-4491-8EB1-F9CDA37505BF\root\vfs attrib.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms attrib.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES attrib.exe File opened for modification C:\Program Files\dotnet\host\fxr\8.0.0\hostfxr.dll attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat attrib.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.Diagram.dll attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\clrjit.dll attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json attrib.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui attrib.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE attrib.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll attrib.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll attrib.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll attrib.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg attrib.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\GetHelpOffline2.png attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll attrib.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL attrib.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4976 5076 cmd.exe 94 PID 5076 wrote to memory of 4976 5076 cmd.exe 94 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4976 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\choice.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\attrib.exeattrib -s -h C:\* /S /D2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4976
-