Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 15:41 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Launch.bat
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Launch.bat
Resource
win10v2004-20240221-en
General
-
Target
Launch.bat
-
Size
19KB
-
MD5
87739439d2217d83e15f1389549e41c9
-
SHA1
567be03f8cf4425de8e1e5c274efc959d54ca231
-
SHA256
c281b1d9b9d1f59fbde5d9042295fce56f7d4040fb3ef6fc389f0a49d5c53eac
-
SHA512
bcae0632fecb4ab8a4a4715d022eb800020361e930102310c5631c7bdf28ddcaf382084bc20b64b9094cd9d68383b9e3db5ab9aec993181b74e1a4635f342254
-
SSDEEP
384:UHpBGx8L4FUsPEBcM+6Rdi5jsTnE7H8r2:WpBGx88FUsPf6Rg5j4EHB
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4960 wrote to memory of 1368 4960 cmd.exe 89 PID 4960 wrote to memory of 1368 4960 cmd.exe 89 PID 4960 wrote to memory of 1316 4960 cmd.exe 90 PID 4960 wrote to memory of 1316 4960 cmd.exe 90 PID 4960 wrote to memory of 3332 4960 cmd.exe 91 PID 4960 wrote to memory of 3332 4960 cmd.exe 91 PID 4960 wrote to memory of 2320 4960 cmd.exe 92 PID 4960 wrote to memory of 2320 4960 cmd.exe 92 PID 4960 wrote to memory of 4932 4960 cmd.exe 93 PID 4960 wrote to memory of 4932 4960 cmd.exe 93 PID 4960 wrote to memory of 1168 4960 cmd.exe 94 PID 4960 wrote to memory of 1168 4960 cmd.exe 94 PID 4960 wrote to memory of 2524 4960 cmd.exe 95 PID 4960 wrote to memory of 2524 4960 cmd.exe 95 PID 4960 wrote to memory of 3212 4960 cmd.exe 96 PID 4960 wrote to memory of 3212 4960 cmd.exe 96 PID 4960 wrote to memory of 4708 4960 cmd.exe 97 PID 4960 wrote to memory of 4708 4960 cmd.exe 97
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launch.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:1368
-
-
C:\Windows\system32\find.exefind2⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:3332
-
-
C:\Windows\system32\find.exefind2⤵PID:2320
-
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\Launch.bat2⤵PID:4932
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\Launch.bat2⤵PID:1168
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\Launch.bat2⤵PID:2524
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\Launch.bat2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:4708
-
Network
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.178.17.96.in-addr.arpaIN PTRResponse196.178.17.96.in-addr.arpaIN PTRa96-17-178-196deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=24954F2777FD65B603D65B177646649F; domain=.bing.com; expires=Fri, 21-Mar-2025 15:42:06 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 07AA06427AE446D7ADFBE3534211D9E3 Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
date: Sun, 25 Feb 2024 15:42:05 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=24954F2777FD65B603D65B177646649F
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=jcC0UHjVBWyTiv3NXTDON9OMcxcl-7yvfL_yp0-rhrc; domain=.bing.com; expires=Fri, 21-Mar-2025 15:42:06 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2D58B596F99044589C8841EE82267A44 Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
date: Sun, 25 Feb 2024 15:42:05 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=24954F2777FD65B603D65B177646649F; MSPTC=jcC0UHjVBWyTiv3NXTDON9OMcxcl-7yvfL_yp0-rhrc
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E36DA1FD96BD4A31BC876874401115AC Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
date: Sun, 25 Feb 2024 15:42:05 GMT
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request190.178.17.96.in-addr.arpaIN PTRResponse190.178.17.96.in-addr.arpaIN PTRa96-17-178-190deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request91.65.42.20.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=tls, http22.0kB 9.2kB 22 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=HTTP Response
204
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
196.178.17.96.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
190.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
91.65.42.20.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752