hxxps://github[.]com/SparkScratch-P/batch-virus/archive/refs/heads/main[.]zip

Analysis

max time kernel
163s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 13:20

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T13:23:10Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_6-dirty.qcow2\"}"

Report Analysis Logs

General

Target

https://github.com/SparkScratch-P/batch-virus/archive/refs/heads/main.zip

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3656 attrib.exe
4532 attrib.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greatgame reg.exe
Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Greatgame cmd.exe
File opened for modification C:\Windows\Greatgame cmd.exe

pid	process
3656	attrib.exe
4532	attrib.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greatgame	reg.exe

description	ioc	process
File created	C:\Windows\Greatgame	cmd.exe
File opened for modification	C:\Windows\Greatgame	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4996 ipconfig.exe

pid	process
4996	ipconfig.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "168"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585248278984151"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3396 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1560 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe

pid	process
3396	reg.exe

pid	process
1560	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exetskill.exetskill.exetskill.exetskill.exe

pid	process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
228	chrome.exe
228	chrome.exe
1860	tskill.exe
1860	tskill.exe
1408	tskill.exe
1408	tskill.exe
2620	tskill.exe
2620	tskill.exe
4448	tskill.exe
4448	tskill.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3540 chrome.exe
3540 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Calculator.exeLogonUI.exe

pid process

3560 Calculator.exe
3560 Calculator.exe
3560 Calculator.exe
5432 LogonUI.exe

pid	process
3560	Calculator.exe
3560	Calculator.exe
3560	Calculator.exe
5432	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3540 wrote to memory of 3080	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3080	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4964	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4152	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 4152	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe
PID 3540 wrote to memory of 3788	3540	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3656 attrib.exe
4532 attrib.exe

pid	process
3656	attrib.exe
4532	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/SparkScratch-P/batch-virus/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8184bab58,0x7ff8184bab68,0x7ff8184bab78
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:2
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:1
2⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:1
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1868,i,17121486706532405020,2198748919468095899,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-virus-main\viruses\virus35.bat" "
1⤵
PID:2208

C:\Windows\system32\msg.exe
msg *You have just launched BloatWarez 6255
2⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-virus-main\viruses\virus34.bat" "
1⤵
PID:3628

C:\Windows\system32\PING.EXE
ping localhost -n 1
2⤵
- Runs ping.exe
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-virus-main\viruses\virus33.bat" "
1⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-virus-main\viruses\virus32.bat" "
1⤵
PID:544

C:\Windows\system32\ipconfig.exe
Ipconfig /displaydns
2⤵
- Gathers network information
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\batch-virus-main\viruses\virus31.bat" "
1⤵
- Drops file in Windows directory
PID:3388

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:464

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3944

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1768

C:\Windows\system32\calc.exe
calc
2⤵
PID:2384

C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ
2⤵
- Adds Run key to start application
- Modifies registry key
PID:3396

C:\Windows\system32\attrib.exe
Attrib +r +h Greatgame.bat
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4532

C:\Windows\system32\attrib.exe
Attrib +r +h
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3656

C:\Windows\system32\rundll32.exe
RUNDLL32 USER32.DLL.SwapMouseButton
2⤵
PID:3488

C:\Windows\system32\calc.exe
calc
2⤵
PID:1104

C:\Windows\system32\tskill.exe
tskill msnmsgr
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\system32\tskill.exe
tskill LimeWire
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Windows\system32\tskill.exe
tskill iexplore
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\system32\tskill.exe
tskill NMain
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3076

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1748

C:\Windows\system32\calc.exe
calc
2⤵
PID:1420

C:\Windows\system32\msg.exe
msg * R.I.P
2⤵
PID:1984

C:\Windows\system32\msg.exe
msg * R.I.P
2⤵
PID:64

C:\Windows\system32\shutdown.exe
shutdown -r -t 10 -c "VIRUS DETECTED"
2⤵
PID:916

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2812

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:3500

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:64

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9d6d587374aecd3e1286f23a82d94e7e

SHA1
2c7aa1f30e2e1c0064c80d7498950f61d3242d53

SHA256
7bce7f2c9f0fc66287bb4f92b61b84ebe691ece0991fec7335164a6eb4082719

SHA512
bc376702707da6db386a0660ce5a405cd1e6c89c064647acedaacf483548c6639c13f08298e3b4277f131beaeabd292ede3ca4ccde2b764f7e0c7ecf84d3ec1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
477c42b817c223f6fc0771cc34b9c096

SHA1
a5818e9b11f81591d5198d811adeba004833bbea

SHA256
38ae35929eb408b00983504604478061dca2a6c5e19d59d42d0e1eadd9d157b2

SHA512
c38fd9121e234a705db378ae93e3acef76596f3ed13dbe01fb554f118ff1dd2930a2379b09249e5ebc9878362cd5144791371e2ce449c480a1fd6812268027a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f032c2a0d99fe6beb2839edaef684f9a

SHA1
61aaf9e4f527e1bbe69b5fd1e893823e989a6573

SHA256
398af6221747045995842d18f281765b82f728ae5a782134f45c7ef9775f1613

SHA512
9bea891fb1a7ec13d45aded4a00cfcf6423c5fddc5ce5660009da4c1b914544d0f9eefa9538225c7946463aeb6b3cd2ec8897a378c613dc547cf5fdb39bd34a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
cdb9b9169c7592ae046c5722823d2dc1

SHA1
610f2f0a45dee08d47957a48fc8f87168671a717

SHA256
a0d95e70f7304435a961089480e5c518c469f3e0b873de4a3e718768865dc129

SHA512
40736a3fe0497cc9b07cffd364ecdaedd816690118be2ef27029d14b6066203e3372014df3c8238f9570c513a2275fa992a35c408e1bb8b945201d60e2eaa473

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
28f7b7fbdd63fe2dd150868a01262f41

SHA1
876974819c86f03dc7114156d0651610bf87bfb8

SHA256
ab65898735f3ef43c3a05d2de5ed67c10f67d96de6fd7a79ed7b561910a2191a

SHA512
82f71716a60dc7775c2a833d6a0857bd5b14ffbe07f7966b2e8c5da86a8afa337c8b913493710ca4c6bba1b8741aab6234a1e3633b833933194366fe7bb83bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
590238374abcd56f09f538bc7c04dac5

SHA1
9a48b8731651e7e8007ef46a02a42403fc2a84a1

SHA256
c0fa76fba60136cdd244d10b1ee46d569af1e3ddd72e8d19e7d733519d535dec

SHA512
e58fc222cb2c1f164eb635533d22a2ab202ac16f79e9ff12518bc7ae7016c1fa835d25d46ac3c0f1c464f627e7a462363dd7329f50d15f58bb7eb22f33a675c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
bf43799a89b14fc0fb826fed40035ce9

SHA1
65ad8402db569fce57ca40a1521b21314b4080a0

SHA256
5348411a2ba2b2fa90ec8e409db86420b4e36b30e9aaa1082948e3c74e02b39e

SHA512
fe304f0b1ceab07fc8e415d966a1981aa4d201c8034eb9ca6c3e5c1548a39babd31321b516c3023d95e3de382d387a9b4f6cd7dca73686c5b1492c34909617f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
148KB

MD5
c778885ed81b58943d169dcf10dc6551

SHA1
ff450903052d312b5cf6b57c1ce6b112e1f56108

SHA256
7cc418fea15f9b3a94bab14dc53ef01db61f39cbe264eeeabfe4a159b9fa3a69

SHA512
236ca77d3d7a7b02a6cdbeef8b474db623125a007fdd605a82b460488f0991f36cf4ff65aacfd53b6e9113a7f4e683d32bc86570f1aacf0c7b01924747afb812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
99df5636b3737cda8423a4391cea3dcc

SHA1
6a6e19acb1248757f9942c1ab41c49a79710a43b

SHA256
2ee2a9fa39a7fb01b27accdbba0d41dbc27b812408b43f082a21138184aae25a

SHA512
ba08cf0ec40b4d0f3c58eabdb32a6f3e26d7075a74754a5f99d8145ace47c5f07158941ddb63471d5ae2fe57c39a40530e725891eb4002c8e21bcf83f33e3a99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c786.TMP
Filesize
97KB

MD5
9fd6761a77b61c5501c2bf240c41cc0e

SHA1
47d6abcfa1d2a3c44e3f989555e9d250ea18364b

SHA256
2bc8622dc3f266180a8d641189a390c60f5408a224f0f2a1fcc5f373ec33b7f6

SHA512
311100ddf62dbe9b4cb6bc33fb0a24b5b543f28fbf3e762a09504575dc620b5e1c97a8e623ec47726aa5e1e1bd1055224ebb5706904639e3337c8a653b0ff19f

Download Submit
C:\Users\Admin\Desktop\batch-virus-main\viruses\HusanboyBayernVirus.bat
Filesize
105B

MD5
c3fa55b709af8b52c055c3f636295e2f

SHA1
45de94c5920edc1e81e49a63481cfbcb78b4147e

SHA256
aa98c9bdb5c418c02daaf7b64990742510ce9640edd054ad4cb351cba1285ac7

SHA512
d0090be35b132ee0a5753eaa5394ee51c671f99b3766f739c374c3b479927360b61370b6b556a4c249cc4aaeb4a6d95587035d9f56bd0f95688a12e0e9724279

Download Submit
C:\Users\Admin\Desktop\batch-virus-main\viruses\operateHusanboyBayernVirus.bat
Filesize
82B

MD5
50f85c556dbff3394d6ddc49edfe7fd3

SHA1
b844fe9b197425d5e13ed5cc727617642db68bfe

SHA256
c97f765cb1550362cc0b3859e8e4a29dcc28ba49616a42b46cda35036796b3f3

SHA512
be3ca6e31da26369ce9ab38ab4cc41c6badccb54529d75a1381f49ee63039b0b51cbc21cae2ba0abc38c5ab6dfaf8681d2d613381d803868af3a8e0472a0d008

Download Submit
C:\Users\Admin\Downloads\batch-virus-main.zip.crdownload
Filesize
28KB

MD5
cbafef9e4869db15b79329bb4f46b66f

SHA1
8b55fcfd3c965d59f06ad878f6d60def26c12ca4

SHA256
77edd09c8ef0321fd7c39036c6220d3e5e152e3bdb2a2954a06f6943b31a3939

SHA512
72f815ba527cc088fe2116f88173cd6aadffd39fd7e115ab26ca2e0ceea3d1aeca389f38850fd50b5198cf19bd665197bf2b674c08dc04f5a28c40b07058fbb3

Download Submit
\??\pipe\crashpad_3540_CFTHVXFJOIRJGDDI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads