Overview

overview

10

Static

static

10

ApokalypseX.bat

windows10-2004-x64

10

ApokalypseX.bat

windows11-21h2-x64

10

Resubmissions

17-05-2024 18:48

240517-xf6l1add77 10

17-05-2024 08:41

240517-klghvahh3x 10

17-05-2024 08:39

240517-kkggfsab38 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ApokalypseX.bat

  • Size

    11KB

  • Sample

    240517-xf6l1add77

  • MD5

    e4adc86d9f409d319c672d7d5384a04e

  • SHA1

    b61144e94b18919b99b3621446a4f85c8838c707

  • SHA256

    f35b98999496548741f902a7fa25795bcadb43d7839c2acfbfc48c53be4a3be9

  • SHA512

    189cd4ac752e2c87209a7a140278195d4a166ecc3d73befa7f91681b393873ea6b4cb4d15766ff3c5fabfeea0d21724c6e75b39c68abfde18c346ee9f2e76395

  • SSDEEP

    192:zxR/b5lT2hCaRWzWXCaRWzWgMoUWqe71uQNVyRhb+/yB3fZlo0o/hr+pMnKFYjQS:dRnqhCD6XCD6gMOuCVyRhb+/yB3fZejb

Score
10/10
discoveryevasionexecutionexploitpyinstaller

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1237538022371754046/ByteVaultX.exe?ex=66473758&is=6645e5d8&hm=86bba81d6232969cb4ade81e882b8bcee5f5dacefa6cc2ac70ca40db4c969e4c&

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1238213032279277699/D34TH_6.0.exe?ex=6647b1bf&is=6646603f&hm=a17f4d5fea737c6a13af1c4e897a50895221d179bd368787d2b09c5647e4daf7&

Targets

    • Target

      ApokalypseX.bat

    • Size

      11KB

    • MD5

      e4adc86d9f409d319c672d7d5384a04e

    • SHA1

      b61144e94b18919b99b3621446a4f85c8838c707

    • SHA256

      f35b98999496548741f902a7fa25795bcadb43d7839c2acfbfc48c53be4a3be9

    • SHA512

      189cd4ac752e2c87209a7a140278195d4a166ecc3d73befa7f91681b393873ea6b4cb4d15766ff3c5fabfeea0d21724c6e75b39c68abfde18c346ee9f2e76395

    • SSDEEP

      192:zxR/b5lT2hCaRWzWXCaRWzWgMoUWqe71uQNVyRhb+/yB3fZlo0o/hr+pMnKFYjQS:dRnqhCD6XCD6gMOuCVyRhb+/yB3fZejb

    Score
    10/10
    discoveryevasionexecutionexploitpyinstaller

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks