854175b18018a759959f538a6d49c8ac7ec63bc5161e89746bd348c6f5ef02d0

Analysis

max time kernel
10s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e.bat
Size

814B
MD5

b4ee5b6a1c93343d38ed9a46be6cf8bf
SHA1

84d959256fb63560114ebac36ecb46d3058fd35d
SHA256

854175b18018a759959f538a6d49c8ac7ec63bc5161e89746bd348c6f5ef02d0
SHA512

729f09e2e432f004d0fbf9a61e6b5deea46cea236aec885fd8a6d592bd46c022c5095b4b8de87e1113849e27bb2a09c31764313300552bd4d7728f9e95de8c2b

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2328	2992	cmd.exe	96
PID 2992 wrote to memory of 2328	2992	cmd.exe	96
PID 2328 wrote to memory of 5020	2328	cmd.exe	97
PID 2328 wrote to memory of 5020	2328	cmd.exe	97
PID 2992 wrote to memory of 3884	2992	cmd.exe	101
PID 2992 wrote to memory of 3884	2992	cmd.exe	101
PID 2992 wrote to memory of 2264	2992	cmd.exe	102
PID 2992 wrote to memory of 2264	2992	cmd.exe	102
PID 2992 wrote to memory of 4920	2992	cmd.exe	103
PID 2992 wrote to memory of 4920	2992	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\curl.exe
    curl -s https://api.ipify.org
    3⤵
    PID:5020
- C:\Windows\system32\curl.exe
  curl -s -o blacklist.txt https://raw.githubusercontent.com/ThunderboltDev/IP-BLACKLIST/main/blacklist_ips.txt
  2⤵
  PID:3884
- C:\Windows\system32\findstr.exe
  findstr /C:"89.149.23.59" blacklist.txt
  2⤵
  PID:2264
- C:\Windows\system32\mshta.exe
  mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
  2⤵
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blacklist.txt

Filesize
987B

MD5
68449bbf7f162ab7d71945e84375e410

SHA1
c87ea31e16e9aa35b033a3f0926296ad6b1b1e45

SHA256
7832b57dc2f7480bdf8ef76aac2e51dc75f3a6e3e6f7f5a117f97b78ecb90fbc

SHA512
eb86502e47cafc6f6536d119c87dcdf026e6edff4121a7955768c872b0633cf942df3f1f77f85cbfc7ec11551c89d326c3d3dc120a5a288776ca81749ce71314

Download Submit