Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 15:41 UTC

General

  • Target

    Launch.bat

  • Size

    19KB

  • MD5

    87739439d2217d83e15f1389549e41c9

  • SHA1

    567be03f8cf4425de8e1e5c274efc959d54ca231

  • SHA256

    c281b1d9b9d1f59fbde5d9042295fce56f7d4040fb3ef6fc389f0a49d5c53eac

  • SHA512

    bcae0632fecb4ab8a4a4715d022eb800020361e930102310c5631c7bdf28ddcaf382084bc20b64b9094cd9d68383b9e3db5ab9aec993181b74e1a4635f342254

  • SSDEEP

    384:UHpBGx8L4FUsPEBcM+6Rdi5jsTnE7H8r2:WpBGx88FUsPf6Rg5j4EHB

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launch.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\system32\chcp.com
      chcp.com 437
      2⤵
        PID:1368
      • C:\Windows\system32\find.exe
        find
        2⤵
          PID:1316
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c type tmp
          2⤵
            PID:3332
          • C:\Windows\system32\find.exe
            find
            2⤵
              PID:2320
            • C:\Windows\system32\findstr.exe
              findstr /L /I set C:\Users\Admin\AppData\Local\Temp\Launch.bat
              2⤵
                PID:4932
              • C:\Windows\system32\findstr.exe
                findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\Launch.bat
                2⤵
                  PID:1168
                • C:\Windows\system32\findstr.exe
                  findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\Launch.bat
                  2⤵
                    PID:2524
                  • C:\Windows\system32\findstr.exe
                    findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\Launch.bat
                    2⤵
                      PID:3212
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c type tmp
                      2⤵
                        PID:4708

                    Network

                    • flag-us
                      DNS
                      2.159.190.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      2.159.190.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      196.178.17.96.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      196.178.17.96.in-addr.arpa
                      IN PTR
                      Response
                      196.178.17.96.in-addr.arpa
                      IN PTR
                      a96-17-178-196deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      g.bing.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      g.bing.com
                      IN A
                      Response
                      g.bing.com
                      IN CNAME
                      g-bing-com.a-0001.a-msedge.net
                      g-bing-com.a-0001.a-msedge.net
                      IN CNAME
                      dual-a-0001.a-msedge.net
                      dual-a-0001.a-msedge.net
                      IN A
                      204.79.197.200
                      dual-a-0001.a-msedge.net
                      IN A
                      13.107.21.200
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      set-cookie: MUID=24954F2777FD65B603D65B177646649F; domain=.bing.com; expires=Fri, 21-Mar-2025 15:42:06 GMT; path=/; SameSite=None; Secure; Priority=High;
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: 07AA06427AE446D7ADFBE3534211D9E3 Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
                      date: Sun, 25 Feb 2024 15:42:05 GMT
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      cookie: MUID=24954F2777FD65B603D65B177646649F
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      set-cookie: MSPTC=jcC0UHjVBWyTiv3NXTDON9OMcxcl-7yvfL_yp0-rhrc; domain=.bing.com; expires=Fri, 21-Mar-2025 15:42:06 GMT; path=/; Partitioned; secure; SameSite=None
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: 2D58B596F99044589C8841EE82267A44 Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
                      date: Sun, 25 Feb 2024 15:42:05 GMT
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      cookie: MUID=24954F2777FD65B603D65B177646649F; MSPTC=jcC0UHjVBWyTiv3NXTDON9OMcxcl-7yvfL_yp0-rhrc
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: E36DA1FD96BD4A31BC876874401115AC Ref B: LON04EDGE0811 Ref C: 2024-02-25T15:42:06Z
                      date: Sun, 25 Feb 2024 15:42:05 GMT
                    • flag-us
                      DNS
                      9.228.82.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      9.228.82.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      41.110.16.96.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      41.110.16.96.in-addr.arpa
                      IN PTR
                      Response
                      41.110.16.96.in-addr.arpa
                      IN PTR
                      a96-16-110-41deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      103.169.127.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      103.169.127.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      15.164.165.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      15.164.165.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      217.135.221.88.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      217.135.221.88.in-addr.arpa
                      IN PTR
                      Response
                      217.135.221.88.in-addr.arpa
                      IN PTR
                      a88-221-135-217deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      190.178.17.96.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      190.178.17.96.in-addr.arpa
                      IN PTR
                      Response
                      190.178.17.96.in-addr.arpa
                      IN PTR
                      a96-17-178-190deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      19.229.111.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      19.229.111.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      91.65.42.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      91.65.42.20.in-addr.arpa
                      IN PTR
                      Response
                    • 204.79.197.200:443
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
                      tls, http2
                      2.0kB
                      9.2kB
                      22
                      18

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

                      HTTP Response

                      204

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

                      HTTP Response

                      204

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ee854270bb9b4c6a9a35dc0f9edab1e9&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

                      HTTP Response

                      204
                    • 8.8.8.8:53
                      2.159.190.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      2.159.190.20.in-addr.arpa

                    • 8.8.8.8:53
                      196.178.17.96.in-addr.arpa
                      dns
                      72 B
                      137 B
                      1
                      1

                      DNS Request

                      196.178.17.96.in-addr.arpa

                    • 8.8.8.8:53
                      g.bing.com
                      dns
                      56 B
                      158 B
                      1
                      1

                      DNS Request

                      g.bing.com

                      DNS Response

                      204.79.197.200
                      13.107.21.200

                    • 8.8.8.8:53
                      9.228.82.20.in-addr.arpa
                      dns
                      70 B
                      156 B
                      1
                      1

                      DNS Request

                      9.228.82.20.in-addr.arpa

                    • 8.8.8.8:53
                      41.110.16.96.in-addr.arpa
                      dns
                      71 B
                      135 B
                      1
                      1

                      DNS Request

                      41.110.16.96.in-addr.arpa

                    • 8.8.8.8:53
                      103.169.127.40.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      103.169.127.40.in-addr.arpa

                    • 8.8.8.8:53
                      15.164.165.52.in-addr.arpa
                      dns
                      72 B
                      146 B
                      1
                      1

                      DNS Request

                      15.164.165.52.in-addr.arpa

                    • 8.8.8.8:53
                      217.135.221.88.in-addr.arpa
                      dns
                      73 B
                      139 B
                      1
                      1

                      DNS Request

                      217.135.221.88.in-addr.arpa

                    • 8.8.8.8:53
                      190.178.17.96.in-addr.arpa
                      dns
                      72 B
                      137 B
                      1
                      1

                      DNS Request

                      190.178.17.96.in-addr.arpa

                    • 8.8.8.8:53
                      19.229.111.52.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      19.229.111.52.in-addr.arpa

                    • 8.8.8.8:53
                      91.65.42.20.in-addr.arpa
                      dns
                      70 B
                      156 B
                      1
                      1

                      DNS Request

                      91.65.42.20.in-addr.arpa

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmp

                      Filesize

                      14B

                      MD5

                      ce585c6ba32ac17652d2345118536f9c

                      SHA1

                      be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                      SHA256

                      589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                      SHA512

                      d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.