Analysis
-
max time kernel
89s -
max time network
109s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/03/2024, 21:45
Static task
static1
Behavioral task
behavioral1
Sample
celexxxx_obf.bat
Resource
win11-20240221-en
General
-
Target
celexxxx_obf.bat
-
Size
91.4MB
-
MD5
c2a9426d4cdf55793d93795f1d960b94
-
SHA1
67fba03d1d37f004d5ad1d2fe6913d8d7216bcba
-
SHA256
284ce68742c3aef65ece4c4d69227eb9415579960cab6b54219b0944867f015e
-
SHA512
be098a88d33894b1c45f635a9d9ed4154036e47b845369efb7ff292bd48ccb76f4f86647faa34ab0d30ecdeca418516afc34166fce5b27667963f16c2da9a970
-
SSDEEP
49152:q7vbJ+T+8qTuu9C15by4XCzHBvy8aQi9o1IKOqOm48DxY4vQngUEQZdYxOBahOlf:nnn
Malware Config
Signatures
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2032 powershell.exe 2032 powershell.exe 2032 powershell.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2032 powershell.exe Token: SeIncreaseQuotaPrivilege 2032 powershell.exe Token: SeSecurityPrivilege 2032 powershell.exe Token: SeTakeOwnershipPrivilege 2032 powershell.exe Token: SeLoadDriverPrivilege 2032 powershell.exe Token: SeSystemProfilePrivilege 2032 powershell.exe Token: SeSystemtimePrivilege 2032 powershell.exe Token: SeProfSingleProcessPrivilege 2032 powershell.exe Token: SeIncBasePriorityPrivilege 2032 powershell.exe Token: SeCreatePagefilePrivilege 2032 powershell.exe Token: SeBackupPrivilege 2032 powershell.exe Token: SeRestorePrivilege 2032 powershell.exe Token: SeShutdownPrivilege 2032 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeSystemEnvironmentPrivilege 2032 powershell.exe Token: SeRemoteShutdownPrivilege 2032 powershell.exe Token: SeUndockPrivilege 2032 powershell.exe Token: SeManageVolumePrivilege 2032 powershell.exe Token: 33 2032 powershell.exe Token: 34 2032 powershell.exe Token: 35 2032 powershell.exe Token: 36 2032 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1236 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4844 wrote to memory of 2188 4844 cmd.exe 78 PID 4844 wrote to memory of 2188 4844 cmd.exe 78 PID 4844 wrote to memory of 2032 4844 cmd.exe 79 PID 4844 wrote to memory of 2032 4844 cmd.exe 79
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\celexxxx_obf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\celexxxx_obf.bat"2⤵PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlyContinue;exit 1}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵PID:1548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4896
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1236
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5d3c1574e06e9c0ed4ddfecf7eda00476
SHA1e90dcb7eeb77fdeee2883c9c99fea03c50f80eca
SHA2560b643c95e32e8cb6c8ad9a28231243f3d028db10560130aabe10cd65c62dace7
SHA51206a7e8fa4859fd6902e842760ab1be755247ced2cb5d5b92fda7e25483749d2a65acc7ada0dd351c943711eef033f152137aafc18b5283bf3c310737b8b7077b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5201df2af40c67cec53ff6f87f2f425e0
SHA1218d83a9daf4270e74bc8243708143d64ccdd041
SHA256664407fbfc1e1598355ccd822fbc5fe259f92d48e68eb81dad3dd81b33d1563b
SHA5124cc98bcbb0d3bc53709fc96bf25cbd19f538541ef3b972c2a2578c8235cbfde8eed649c80c110971664a6a8e03ba9cd76e5b04b036ce8adf8286d6a1c565a673
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
179B
MD55af6c8e7a365742051481a776df6fb91
SHA130313f40f3e007a573e65c41181c60efa8012495
SHA25627a9ad3fda1dc91106c8f37c27602afb89dcc8d8328e07a4d44eeed2405db090
SHA5120cd0885a4b815fd4146e7ab080d199308ff31371543241b3db2ec790893db3e419b62a35e205a00432cc1f9efe530c6bfa6323296e0e8865d4bfffad76bf7a9d