Analysis
-
max time kernel
83s -
max time network
89s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/04/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
run.bat
Resource
win11-20240221-en
General
-
Target
run.bat
-
Size
211B
-
MD5
95dc540ce9877033b309e41d29e38349
-
SHA1
a4a98aced74466705eb95f2f9373ec85fab18ee5
-
SHA256
1c2c228022944f33e94fc752a2a30a6e31757956b5f6cee70da5c147b4ab05bc
-
SHA512
04a0f3dbd3ca66715aff1bea620e638065e33168834282d964a629a8c7b22857e199ac7a778d74c50a8941eb351f8ad219972ef4f722b8dfb1578232a58bd947
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2788 msedge.exe 2788 msedge.exe 4312 msedge.exe 4312 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 492 4312 msedge.exe 85 PID 4312 wrote to memory of 492 4312 msedge.exe 85 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 1292 4312 msedge.exe 86 PID 4312 wrote to memory of 2788 4312 msedge.exe 87 PID 4312 wrote to memory of 2788 4312 msedge.exe 87 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89 PID 4312 wrote to memory of 1032 4312 msedge.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"1⤵PID:3752
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffbfe873cb8,0x7ffbfe873cc8,0x7ffbfe873cd82⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:12⤵PID:32
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:364
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4824
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5341f6b71eb8fcb1e52a749a673b2819c
SHA16c81b6acb3ce5f64180cb58a6aae927b882f4109
SHA25657934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29
SHA51257ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9
-
Filesize
152B
MD588e9aaca62aa2aed293699f139d7e7e1
SHA109d9ccfbdff9680366291d5d1bc311b0b56a05e9
SHA25627dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c
SHA512d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793
-
Filesize
5KB
MD5cc8ba681f95251572ee3fefb0535cc8d
SHA1979d89a349e5c9fa4206345031e59c83f42eb00d
SHA256c6778efe070bf466fce612355fbb31cdcf7efde58e91a8c9bfce5a8cbc809c5b
SHA5120abefff5037fcaaec0a6568ff860b119f64c4fa440d1f3fee6ee44aa4d2bc7f3652b52dc8d2ec18fe7a35904a4cfc78b7c2e6cd6199097276587aaa30b5cb351
-
Filesize
5KB
MD5df7adfbbddcd6473cf9fe33c22c8608c
SHA1a75a330174894f7db701bacea48765ed415779bc
SHA256377624fe8fbaa0f9e5482f32576f0db18c16eb36f171f45ad4fac06e01b4e9b2
SHA51263ac774bcb3e285f5ebe11b8a496b4af913470eb6ef68a1cde25356293a19c9d20651475940edb6412f3c15ec8dcfdabf33871db3e7001db1706b316f1d6bfe3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD567b6b9dd520fab41100919edbfffb7c7
SHA12c8ecf6ef8f2a4f636eefcbd25062a550076784e
SHA2560a63ba894b8d785f4ccddfefd8d507ee09da7f188dfd443e2c57bf1b30a885d3
SHA512916d333831a649ecea1a98c104f6e7d0b938e609bfaf661f3e8a0dc6b13cc13ffcc8280bdd5330c2f258be09d1f4565fd245a48f36761e98356db983a5c2960f
-
Filesize
10KB
MD5e8745b67c7e068c04d2b00082e265255
SHA108d1b4e1f5bd6ccdae34c2b86999ea1b3472e47c
SHA2562cd29aacea6e80be76689f95c5107646c6eb59bbd870eb7a880c7789b22c9224
SHA51242eece0d3e5cf6eb4e883edc332910aa016e1f8e65d44be30182bbc6cfd1f1b0ed64af9f5263946e2ee471f6dc7f3642f01f192714378e99c76bbbe9e2ecd436