12ed55672422406776291c47ecfa40d49a1bc39ecd5bca9710ee6c860177d6c9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MSFS.bat
Size

4KB
MD5

590fa2ce71355aeb5607905509a140c8
SHA1

02d134061209bacf23efe744cfbf2aca1540718f
SHA256

b33f9b1a0f5cc34ba1dfb76855d0c6921f08298f942f9044d9868e74e285548d
SHA512

4cd3739bcd3afe957e61f540c7a9495e989ef707e1eee9041dc07b4dae45ac3469a0ba87ad841840c26f24caa35bb4c58ce3663a94ad44f42d38356a808effe4
SSDEEP

96:DNhEkndgsddddddddddhZ0C/U49l2ernfcRAN8:JrU49lJz0r

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	2464	mshta.exe
16	2464	mshta.exe
18	2464	mshta.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4404	4892	cmd.exe	87
PID 4892 wrote to memory of 4404	4892	cmd.exe	87
PID 4404 wrote to memory of 1068	4404	cmd.exe	89
PID 4404 wrote to memory of 1068	4404	cmd.exe	89
PID 4404 wrote to memory of 3532	4404	cmd.exe	99
PID 4404 wrote to memory of 3532	4404	cmd.exe	99
PID 4404 wrote to memory of 4080	4404	cmd.exe	100
PID 4404 wrote to memory of 4080	4404	cmd.exe	100
PID 4404 wrote to memory of 2464	4404	cmd.exe	101
PID 4404 wrote to memory of 2464	4404	cmd.exe	101

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MSFS.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\MSFS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\system32\cmd.exe
    cmd.exe /C start shell:AppsFolder\Microsoft.FlightSimulator_8wekyb3d8bbwe!App -FastLaunch
    3⤵
    - Checks computer location settings
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\MSFS.bat""
    3⤵
    PID:3532
- - C:\Windows\system32\findstr.exe
    findstr /bc:" "
    3⤵
    PID:4080
- - C:\Windows\system32\mshta.exe
    mshta "C:\Users\Admin\AppData\Local\Temp\tmp.hta"
    3⤵
    - Blocklisted process makes network request
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.hta

Filesize
2KB

MD5
e813d2bab84d0dde521a17981c6c99b2

SHA1
d29873c490265d4f50f4ba5ed6472e22f28259a8

SHA256
46243404b1bf5b18e584db02b175e2b8c0a8f93603c77e980aeae08ba761ffaa

SHA512
d4719264562865700908a3fcf14b004d8957e94c9ed82db1b189efa31dab77998ffa40ffc95cba04ad819b2271a4a521c77d94ca010b5b5ce6df0e5944a1308a

Download Submit