Overview

overview

6

Static

static

1

start.bat

windows7-x64

1

start.bat

windows10-2004-x64

Analysis

  • max time kernel
    133s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 19:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    start.bat

  • Size

    548B

  • MD5

    12c37bf6537bfdf93b80c31f6d1391b2

  • SHA1

    43df564e4988008f3e97167837f58f1452cf3d13

  • SHA256

    cab7b8973dd5f7252af6a1a080deec442acd1e6bdd6c7476bd73e39553751222

  • SHA512

    c59645da2377ec2eb8c4ca75174379134dc657741ee324fc6fd38170b9704852bf136a919fe0363ea85befe61e8838ef74dad07e365392d8f8f6462bb1ba75f9

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:980
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.0.1104757269\619672678" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d4ac8a1-045d-4afc-be53-4715280f9a89} 932 "\\.\pipe\gecko-crash-server-pipe.932" 1988 242ff6f1558 gpu
          3⤵
            PID:4172
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.1.1509158289\1595246535" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2352 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b55e35c-ce24-4259-a173-e18953d79883} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2392 242ff1e8058 socket
            3⤵
            • Checks processor information in registry
            PID:4560
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.2.1387686779\830135420" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2856 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5b04ff9-b380-4f11-981e-a01cb6d31007} 932 "\\.\pipe\gecko-crash-server-pipe.932" 2972 2428ad93558 tab
            3⤵
              PID:3412
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.3.839116657\1540273644" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e8ff80-db8d-4279-9d0d-4feb8549d61e} 932 "\\.\pipe\gecko-crash-server-pipe.932" 3548 2428bb05658 tab
              3⤵
                PID:3116
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.4.1718497692\1546013304" -childID 3 -isForBrowser -prefsHandle 4100 -prefMapHandle 4092 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20a09bcd-2499-4735-9492-f6706b38e2ad} 932 "\\.\pipe\gecko-crash-server-pipe.932" 4112 2428c306b58 tab
                3⤵
                  PID:1184
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.7.2120261266\2078245721" -childID 6 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6f9869-4209-4a8e-bbd1-21eec567643b} 932 "\\.\pipe\gecko-crash-server-pipe.932" 5512 2428d0fcf58 tab
                  3⤵
                    PID:3128
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.6.789042734\1601225316" -childID 5 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f05ed13-51e7-474b-a0d1-7c8d905d8224} 932 "\\.\pipe\gecko-crash-server-pipe.932" 5320 2428d0fcc58 tab
                    3⤵
                      PID:3668
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="932.5.895984982\300022580" -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5192 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1116 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {397fc3b8-bcb2-4758-8d25-6adf84305f15} 932 "\\.\pipe\gecko-crash-server-pipe.932" 5204 2428d029858 tab
                      3⤵
                        PID:3112
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:2580
                    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                      1⤵
                        PID:2348
                        • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                          "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                          2⤵
                            PID:2328
                          • C:\Windows\SysWOW64\unregmp2.exe
                            "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                            2⤵
                              PID:4488
                              • C:\Windows\system32\unregmp2.exe
                                "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                                3⤵
                                • Enumerates connected drives
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1500
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3188
                          • C:\Windows\system32\LogonUI.exe
                            "LogonUI.exe" /flags:0x4 /state0:0xa3990855 /state1:0x41c64e6d
                            1⤵
                            • Modifies data under HKEY_USERS
                            • Suspicious use of SetWindowsHookEx
                            PID:3964

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                            Filesize

                            64KB

                            MD5

                            fc240c081ec382df4b74d591d7d37a45

                            SHA1

                            396e9d8accb2ff8b32e6c3957808cb87d23ad47c

                            SHA256

                            8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

                            SHA512

                            d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                            Filesize

                            9KB

                            MD5

                            7050d5ae8acfbe560fa11073fef8185d

                            SHA1

                            5bc38e77ff06785fe0aec5a345c4ccd15752560e

                            SHA256

                            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                            SHA512

                            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                            Filesize

                            1KB

                            MD5

                            2dd786c6ac27106a0bd3c3ca56b1bd8c

                            SHA1

                            9730bf52d85793cc48f02e1c37c9ed0a039b0430

                            SHA256

                            c2e717ed7400b01cf0a44d3a131bf4c069a8899092e4ff51733679f530e6236d

                            SHA512

                            e5c94f682e1d56b30f8624fd3c6eb1e116dde142e305712cc780868e3fdbf8f05890932cc3b5f46bfe7e1f01dc59a6b34c44a6c4c751475a0c4cecc1f1fab32f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            3c5b6bc1c5e31da1fe1903a7cd81ef55

                            SHA1

                            344a534593186f75dda202ef9d49b79a7a3ebe0a

                            SHA256

                            2e81a89bc1f720ba21f9edaa7f55ef682e0e7165804408a8db4af35db18fc614

                            SHA512

                            8294a71d3db1cbac1711e55cc5a85fed432093961f0768bfce0d395b35c737b929a62389890e3d26501052bcb6c8ae2aa8086ded1d264dd2cf58b6050892b0f9

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\pending_pings\3f5ae1f3-de40-40c5-8a06-4d6d0a1eaea2
                            Filesize

                            746B

                            MD5

                            17ec063b6e887dad4d6c8ae3a881c52f

                            SHA1

                            d270bbf60be040e58776e776379e991411040bc5

                            SHA256

                            db8dfed6d1e624135eea2ea3be7084550f6adc7698325a5a6eedf8fa6bfe046f

                            SHA512

                            72e2b5bddd855bb49e186cd39191cedb7ef5a161cd53f892ca2a5de41b177e988d5bd0ccab1038812fb9c3f248a6d0e35e18f04aa0dc9a1710d5318c39eca298

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\datareporting\glean\pending_pings\e1da211e-2ab8-49cd-aded-785c4e42f8a6
                            Filesize

                            11KB

                            MD5

                            322e32d2db614178d429132b01e52d5c

                            SHA1

                            af36b3b96677ca4ddb9d5413533e5c796565103e

                            SHA256

                            f93e54a210a42e6c4e1c512610b3091466d2ad6ecaba92d2ecde152b0e4f4a72

                            SHA512

                            9ee8c8e61006b376db73850cb41a421c217780f95665ad5dce7178dbbd9d9a818f1d0a0f38fe69f1dd50a28e88490cd1e3d44464da48ab12d40391a716b1aec9

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            c2ad7645ae088854b2cdc7e524bf7a5a

                            SHA1

                            6a3314b2da6df4ec058decfd43e1e8988c5c378d

                            SHA256

                            a0ab95beee7795568b4090a91062c5bdaf796ccb9cbe8b1c38fb71207f66eb48

                            SHA512

                            d8508ff56b6307ca1c7e07c0ed213f12c6993599b65b1b1ab8af3ec91676b9c8e9437f49918218c0da701de23e0bc1e63d127ef4430508c4f1600157dc152de8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\sessionstore.jsonlz4
                            Filesize

                            882B

                            MD5

                            4c4ae93c79fec0bd91333ea20e99382d

                            SHA1

                            9bd2c7635aecdcb8e1440d444e8b675bb86e2b0d

                            SHA256

                            c72e5d62fddd712bdb05f051be71c453ca9ba3d8bdc16b6efb2cb3352d1047f6

                            SHA512

                            570f0b4be04fafcc0bb319e206ecfc6eae370b55ba4e11826b25536114460b7567ae72c3ca21cf9e81ee216f60ffe981a7fe353d559593eee708f00bb12b5621

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            91e2a4879f4a7d77b1152e53496bbfc4

                            SHA1

                            f22752151ef7f6758d30891a996b7b5c30acd97c

                            SHA256

                            198277a9823ee89020b45bdd52bf6c13641d0b7c9127ee1603b42cbd3ebc2fae

                            SHA512

                            3a27afe500c522face67427db3d6611608f058432874ae9ec438b9ef9fa9db4a0c2cef49d2d2c363f8dff56f3c68525af0f6bd3dde1e0750e0977c6a28644f87

                            Download Submit