5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db

Resubmissions

27-04-2024 10:20

240427-mc49nahb6s 8

27-04-2024 10:17

240427-mbg3qshb2z 8

27-04-2024 10:12

240427-l81exagc99 8

Analysis

max time kernel
104s
max time network
113s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0EXNM3VL.bat
Size

23KB
MD5

f94ee210eb268d477b98419357872564
SHA1

85032ece2031a10f2839d10ffd13ca3a05d76a4d
SHA256

5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db
SHA512

a1ccb8f70558290d59e0488b9e86e5b74e86e5ec17b88022c977e7e4d648b49ec0df6923f0c22495cf30cc1ec154995f9a7f655296322a77d31d1f3fe3f1240f
SSDEEP

384:fSpSw/3x030ySTMmmXfUHb+h8ilPdaN5RdHkZ2fvqS2p0glkZXiJZGOrIOCq+iCI:fSpSw/3x030ySFmXfUHb+h8ilPdaN5RO

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4772	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	tasklist.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3376	5100	cmd.exe	82
PID 5100 wrote to memory of 3376	5100	cmd.exe	82
PID 5100 wrote to memory of 3276	5100	cmd.exe	83
PID 5100 wrote to memory of 3276	5100	cmd.exe	83
PID 5100 wrote to memory of 4052	5100	cmd.exe	84
PID 5100 wrote to memory of 4052	5100	cmd.exe	84
PID 5100 wrote to memory of 4584	5100	cmd.exe	85
PID 5100 wrote to memory of 4584	5100	cmd.exe	85
PID 4584 wrote to memory of 4772	4584	cmd.exe	86
PID 4584 wrote to memory of 4772	4584	cmd.exe	86
PID 5100 wrote to memory of 2708	5100	cmd.exe	88
PID 5100 wrote to memory of 2708	5100	cmd.exe	88
PID 5100 wrote to memory of 228	5100	cmd.exe	89
PID 5100 wrote to memory of 228	5100	cmd.exe	89
PID 5100 wrote to memory of 400	5100	cmd.exe	90
PID 5100 wrote to memory of 400	5100	cmd.exe	90
PID 400 wrote to memory of 1968	400	cmd.exe	91
PID 400 wrote to memory of 1968	400	cmd.exe	91
PID 5100 wrote to memory of 5076	5100	cmd.exe	92
PID 5100 wrote to memory of 5076	5100	cmd.exe	92
PID 5076 wrote to memory of 3876	5076	cmd.exe	93
PID 5076 wrote to memory of 3876	5076	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0EXNM3VL.bat"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:3276
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\system32\reg.exe
  Reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    PID:3876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads