8619c96038ebfc4fa88d260548b4f2a91b28886aef5e52530579cf6ab8d31dec

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MAMBPREMIUM.bat
Size

2KB
MD5

8b1f87203121c964ee51efeaca70957c
SHA1

9c5b47da24e4b10cb6c100040ba5b29773b6b5b3
SHA256

8619c96038ebfc4fa88d260548b4f2a91b28886aef5e52530579cf6ab8d31dec
SHA512

64ec4da1770a8ec58f42e9394e424da6fb999469c3eefb406a8ba45e826b6a399ef446660527308a892e8d27e56e24152d793d67334ace9b6e7cb25d41e6482a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2936	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
2624	timeout.exe
2692	timeout.exe
2432	timeout.exe
2676	timeout.exe
2788	timeout.exe
2900	timeout.exe
2596	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2356	2204	cmd.exe	29
PID 2204 wrote to memory of 2356	2204	cmd.exe	29
PID 2204 wrote to memory of 2356	2204	cmd.exe	29
PID 2204 wrote to memory of 2432	2204	cmd.exe	30
PID 2204 wrote to memory of 2432	2204	cmd.exe	30
PID 2204 wrote to memory of 2432	2204	cmd.exe	30
PID 2204 wrote to memory of 2676	2204	cmd.exe	31
PID 2204 wrote to memory of 2676	2204	cmd.exe	31
PID 2204 wrote to memory of 2676	2204	cmd.exe	31
PID 2204 wrote to memory of 2720	2204	cmd.exe	32
PID 2204 wrote to memory of 2720	2204	cmd.exe	32
PID 2204 wrote to memory of 2720	2204	cmd.exe	32
PID 2204 wrote to memory of 2788	2204	cmd.exe	33
PID 2204 wrote to memory of 2788	2204	cmd.exe	33
PID 2204 wrote to memory of 2788	2204	cmd.exe	33
PID 2204 wrote to memory of 2796	2204	cmd.exe	34
PID 2204 wrote to memory of 2796	2204	cmd.exe	34
PID 2204 wrote to memory of 2796	2204	cmd.exe	34
PID 2796 wrote to memory of 2816	2796	cmd.exe	35
PID 2796 wrote to memory of 2816	2796	cmd.exe	35
PID 2796 wrote to memory of 2816	2796	cmd.exe	35
PID 2204 wrote to memory of 2764	2204	cmd.exe	36
PID 2204 wrote to memory of 2764	2204	cmd.exe	36
PID 2204 wrote to memory of 2764	2204	cmd.exe	36
PID 2204 wrote to memory of 2936	2204	cmd.exe	37
PID 2204 wrote to memory of 2936	2204	cmd.exe	37
PID 2204 wrote to memory of 2936	2204	cmd.exe	37
PID 2204 wrote to memory of 2900	2204	cmd.exe	38
PID 2204 wrote to memory of 2900	2204	cmd.exe	38
PID 2204 wrote to memory of 2900	2204	cmd.exe	38
PID 2204 wrote to memory of 2596	2204	cmd.exe	39
PID 2204 wrote to memory of 2596	2204	cmd.exe	39
PID 2204 wrote to memory of 2596	2204	cmd.exe	39
PID 2204 wrote to memory of 2708	2204	cmd.exe	40
PID 2204 wrote to memory of 2708	2204	cmd.exe	40
PID 2204 wrote to memory of 2708	2204	cmd.exe	40
PID 2204 wrote to memory of 2624	2204	cmd.exe	41
PID 2204 wrote to memory of 2624	2204	cmd.exe	41
PID 2204 wrote to memory of 2624	2204	cmd.exe	41
PID 1320 wrote to memory of 2612	1320	taskeng.exe	43
PID 1320 wrote to memory of 2612	1320	taskeng.exe	43
PID 1320 wrote to memory of 2612	1320	taskeng.exe	43
PID 2204 wrote to memory of 2692	2204	cmd.exe	45
PID 2204 wrote to memory of 2692	2204	cmd.exe	45
PID 2204 wrote to memory of 2692	2204	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MAMBPREMIUM.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2356
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2432
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2676
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /query /tn "Malwarebytes-Premium-Reset"
  2⤵
  PID:2720
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -c "[guid]::NewGuid().ToString()"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "[guid]::NewGuid().ToString()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid" /t REG_SZ /d "bd10394e-aa2c-4b72-891c-e5e4fd5d9c34" /f
  2⤵
  PID:2764
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Malwarebytes-Premium-Reset" /tr "\"C:\Windows\system32\cmd.exe\" /c \"echo Task executed\"" /sc daily /mo 13 /rl highest
  2⤵
  - Creates scheduled task(s)
  PID:2936
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2900
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2596
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "Malwarebytes-Premium-Reset"
  2⤵
  PID:2708
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2624
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {D0B27862-8A29-44A1-A5FC-2D7D6E281773} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "echo Task executed"
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-4-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2816-5-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2816-6-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-7-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2816-9-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-8-0x0000000002A2B000-0x0000000002A92000-memory.dmp

Filesize
412KB

Download
memory/2816-10-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/2816-11-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download