172eb15e380b0c296ba32a90b59b1a90cc2423b34635af2778dee9be97e43fc9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Spoofer/Drive_Remover.bat
Size

13KB
MD5

0c345568b15f4163d3955388cfa615f4
SHA1

069c7b499e8f68fb90d316d6114440ef762507d6
SHA256

28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8
SHA512

d4619bbb7bfeccf0bb3ea7259fec6a8324aadd544017ee0df0390339d112fd0ced6707d91fc5036faf2c4cbcc9326c4ba57befbbdf909c2306c109acdba6c543
SSDEEP

192:dIo4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:3xR9hjF/UnECROBClh9YDpDkSy3inlo

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1856	1928	cmd.exe	29
PID 1928 wrote to memory of 1856	1928	cmd.exe	29
PID 1928 wrote to memory of 1856	1928	cmd.exe	29
PID 1856 wrote to memory of 2264	1856	net.exe	30
PID 1856 wrote to memory of 2264	1856	net.exe	30
PID 1856 wrote to memory of 2264	1856	net.exe	30
PID 1928 wrote to memory of 2956	1928	cmd.exe	31
PID 1928 wrote to memory of 2956	1928	cmd.exe	31
PID 1928 wrote to memory of 2956	1928	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Wave Spoofer\Drive_Remover.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\AppData\Local\Temp\Wave Spoofer\Drive_Remover.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2956-4-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/2956-5-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2956-6-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-7-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-10-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-9-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-8-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-11-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-12-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-13-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-14-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2956-15-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download