Analysis
-
max time kernel
23s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
documents.bat.exe
Resource
win7-20231215-en
General
-
Target
documents.bat.exe
-
Size
877KB
-
MD5
173aa6b5c260b3e19f1b979f054b02b0
-
SHA1
9ea4da05677968a322acf4330699e76b31676130
-
SHA256
0dd421edda69a829b7b9d025fd81f947085c0b3a54d9025312823a56c2b5df83
-
SHA512
29415d7778eb7d1275815f1bcee0c3f0613f300df29172ab03d63c119491af6ced57c25c39ed27e010c0e7ce7be87de216bf2757480db9fd392b95c1f8282d51
-
SSDEEP
24576:L/UAc8bshd1ixMpqvhnjqJR33ulonktC+FMIpSmUrSGG:L/U8bI1+MMv5YwloWCZU0m7
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
documents.bat.exepid process 3020 documents.bat.exe 3020 documents.bat.exe 3020 documents.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
documents.bat.exedescription pid process Token: SeDebugPrivilege 3020 documents.bat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
documents.bat.exedescription pid process target process PID 3020 wrote to memory of 2452 3020 documents.bat.exe powershell.exe PID 3020 wrote to memory of 2452 3020 documents.bat.exe powershell.exe PID 3020 wrote to memory of 2452 3020 documents.bat.exe powershell.exe PID 3020 wrote to memory of 2452 3020 documents.bat.exe powershell.exe PID 3020 wrote to memory of 2796 3020 documents.bat.exe schtasks.exe PID 3020 wrote to memory of 2796 3020 documents.bat.exe schtasks.exe PID 3020 wrote to memory of 2796 3020 documents.bat.exe schtasks.exe PID 3020 wrote to memory of 2796 3020 documents.bat.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\documents.bat.exe"C:\Users\Admin\AppData\Local\Temp\documents.bat.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2704
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2840
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTIDCEmUa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DB1.tmp"2⤵
- Creates scheduled task(s)
PID:2796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sTIDCEmUa.exe"2⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b2d80f26b8e883149a8eb2dbcd30e655
SHA177f8795011a14ae1962d61a717f010ee8710b59b
SHA2560fff3ff3a4f178d583c09bccaa02a75c62a264d973ea41e34c315d359a00ca55
SHA5129e5aa51f1115c31a7cdb35c67a30d53e2cb169818c1a67bee9d86f7fc8024c3952c6192c15ebb2e124967ab0ddb05e1f7214df52b3e6bb21f3b92287d0a9821c