Overview

overview

8

Static

static

1

0 - GOS CONNECT.bat

windows10-2004-x64

Analysis

  • max time kernel
    83s
  • max time network
    90s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 08:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    0 - GOS CONNECT.bat

  • Size

    6KB

  • MD5

    53c17e0a3a08766db5abf1ecf0b1e17f

  • SHA1

    44f0963e050ee52b7ba489c2594c10f764c49639

  • SHA256

    0b46e3c19fa4c97f25e7fa8c08e9d93ce6f2f5f8869281f4539e2e7b3fbb219e

  • SHA512

    97ccd16ca349cac05f1b2b9ab1cd87a7c8c97e06d5fed353626b8a9bf9e46fbc31c11b14d3c0288198170e69c6ba68d655b891cb36e05b762bc7848da48cbdaf

  • SSDEEP

    96:MfHeI8wuookU7kz4ZU3wMO/wO/7Xszs5BMn:ceIBqkUZH1rGn

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0 - GOS CONNECT.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:4204
      • C:\Windows\system32\mode.com
        mode con: cols=86 lines=32
        2⤵
          PID:4604
        • C:\Windows\system32\PING.EXE
          ping www.google.com
          2⤵
          • Runs ping.exe
          PID:4592
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode disable
          2⤵
          • Modifies Windows Firewall
          PID:2268
        • C:\Windows\system32\ipconfig.exe
          ipconfig /flushdns
          2⤵
          • Gathers network information
          PID:1020
        • C:\Windows\system32\netsh.exe
          netsh winsock reset
          2⤵
            PID:3472
          • C:\Windows\system32\shutdown.exe
            shutdown /r
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:936
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa39b9055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads