Analysis

  • max time kernel
    83s
  • max time network
    89s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/04/2024, 12:57

General

  • Target

    run.bat

  • Size

    211B

  • MD5

    95dc540ce9877033b309e41d29e38349

  • SHA1

    a4a98aced74466705eb95f2f9373ec85fab18ee5

  • SHA256

    1c2c228022944f33e94fc752a2a30a6e31757956b5f6cee70da5c147b4ab05bc

  • SHA512

    04a0f3dbd3ca66715aff1bea620e638065e33168834282d964a629a8c7b22857e199ac7a778d74c50a8941eb351f8ad219972ef4f722b8dfb1578232a58bd947

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
    1⤵
      PID:3752
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1232
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffbfe873cb8,0x7ffbfe873cc8,0x7ffbfe873cd8
          2⤵
            PID:492
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
            2⤵
              PID:1292
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2788
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
              2⤵
                PID:1032
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                2⤵
                  PID:3904
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                  2⤵
                    PID:2260
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
                    2⤵
                      PID:32
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
                      2⤵
                        PID:4036
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5048
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
                        2⤵
                          PID:2620
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                          2⤵
                            PID:4876
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                            2⤵
                              PID:1588
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
                              2⤵
                                PID:2144
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,10585806547098706571,412763937154977815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                                2⤵
                                  PID:364
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4824
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2348

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    341f6b71eb8fcb1e52a749a673b2819c

                                    SHA1

                                    6c81b6acb3ce5f64180cb58a6aae927b882f4109

                                    SHA256

                                    57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

                                    SHA512

                                    57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    88e9aaca62aa2aed293699f139d7e7e1

                                    SHA1

                                    09d9ccfbdff9680366291d5d1bc311b0b56a05e9

                                    SHA256

                                    27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

                                    SHA512

                                    d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    cc8ba681f95251572ee3fefb0535cc8d

                                    SHA1

                                    979d89a349e5c9fa4206345031e59c83f42eb00d

                                    SHA256

                                    c6778efe070bf466fce612355fbb31cdcf7efde58e91a8c9bfce5a8cbc809c5b

                                    SHA512

                                    0abefff5037fcaaec0a6568ff860b119f64c4fa440d1f3fee6ee44aa4d2bc7f3652b52dc8d2ec18fe7a35904a4cfc78b7c2e6cd6199097276587aaa30b5cb351

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    df7adfbbddcd6473cf9fe33c22c8608c

                                    SHA1

                                    a75a330174894f7db701bacea48765ed415779bc

                                    SHA256

                                    377624fe8fbaa0f9e5482f32576f0db18c16eb36f171f45ad4fac06e01b4e9b2

                                    SHA512

                                    63ac774bcb3e285f5ebe11b8a496b4af913470eb6ef68a1cde25356293a19c9d20651475940edb6412f3c15ec8dcfdabf33871db3e7001db1706b316f1d6bfe3

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    67b6b9dd520fab41100919edbfffb7c7

                                    SHA1

                                    2c8ecf6ef8f2a4f636eefcbd25062a550076784e

                                    SHA256

                                    0a63ba894b8d785f4ccddfefd8d507ee09da7f188dfd443e2c57bf1b30a885d3

                                    SHA512

                                    916d333831a649ecea1a98c104f6e7d0b938e609bfaf661f3e8a0dc6b13cc13ffcc8280bdd5330c2f258be09d1f4565fd245a48f36761e98356db983a5c2960f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    e8745b67c7e068c04d2b00082e265255

                                    SHA1

                                    08d1b4e1f5bd6ccdae34c2b86999ea1b3472e47c

                                    SHA256

                                    2cd29aacea6e80be76689f95c5107646c6eb59bbd870eb7a880c7789b22c9224

                                    SHA512

                                    42eece0d3e5cf6eb4e883edc332910aa016e1f8e65d44be30182bbc6cfd1f1b0ed64af9f5263946e2ee471f6dc7f3642f01f192714378e99c76bbbe9e2ecd436