Analysis Overview
SHA256
e0134835020ff6c813e46ba7b1aa3cd8c877ada7e716b7793e7f1df6d3978b31
Threat Level: Known bad
The file partyparrot.bat was found to be: Known bad.
Malicious Activity Summary
Kinsing
Drops file in Windows directory
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:39
Reported
2024-01-25 17:42
Platform
win11-20231222-en
Max time kernel
86s
Max time network
151s
Command Line
Signatures
Kinsing
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3720 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 3720 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 3720 wrote to memory of 3740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 3720 wrote to memory of 3740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\partyparrot.bat"
C:\Windows\system32\timeout.exe
timeout 7
C:\Windows\system32\curl.exe
curl parrot.live
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49753 | tcp | |
| US | 8.8.8.8:53 | parrot.live | udp |
| SG | 206.189.36.145:80 | parrot.live | tcp |
| GB | 92.123.26.209:443 | tcp | |
| US | 13.89.179.9:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| GB | 92.123.128.186:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |