71c645b58cf6bd0d7919901fdd9c3654d5ec269c4678c2e58726585c3bf9612a

General

Target

wallpaper.bat.exe
Size

97KB
MD5

2b27ae48cb717f92fec9d4c62f9b058a
SHA1

6ba23ca2620ae39dccdcdce947db7c3d229c939a
SHA256

71c645b58cf6bd0d7919901fdd9c3654d5ec269c4678c2e58726585c3bf9612a
SHA512

5bbadcede2f96beeb4a46e82d7a44ec559ff8271ca0495bb5b9c4a0e6270203da43d9dc277e6b3c88c93edecab980a71990f2878233a9d2b212e4072c483270e
SSDEEP

1536:Y2Y0VNblnigen1FQGpaika1PASjg/oCRNd+FXIhUBZ:Y23rbZi/8GprF3jg/oMNd4I+f

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

wallpaper.bat.execmd.execmd.exe

description	pid	process	target process
PID 4520 wrote to memory of 4456	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4456	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4456	4520	wallpaper.bat.exe	cmd.exe
PID 4456 wrote to memory of 4312	4456	cmd.exe	mode.com
PID 4456 wrote to memory of 4312	4456	cmd.exe	mode.com
PID 4456 wrote to memory of 4312	4456	cmd.exe	mode.com
PID 4520 wrote to memory of 1576	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1576	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1576	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4364	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4364	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4364	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 552	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 552	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 552	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4496	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4496	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 4496	4520	wallpaper.bat.exe	cmd.exe
PID 4496 wrote to memory of 3492	4496	cmd.exe	attrib.exe
PID 4496 wrote to memory of 3492	4496	cmd.exe	attrib.exe
PID 4496 wrote to memory of 3492	4496	cmd.exe	attrib.exe
PID 4520 wrote to memory of 1920	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1920	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1920	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1332	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1332	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 1332	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 5084	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 5084	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 5084	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 3480	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 3480	4520	wallpaper.bat.exe	cmd.exe
PID 4520 wrote to memory of 3480	4520	wallpaper.bat.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3492 attrib.exe

pid	process
3492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\wallpaper.bat.exe
"C:\Users\Admin\AppData\Local\Temp\wallpaper.bat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\mode.com
    mode con:cols=0120 lines=0030
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title wallpaper
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
  2⤵
  PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
  2⤵
  PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
    3⤵
    - Views/modifies file attributes
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
  2⤵
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i6.bat

Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit

Analysis

Sharing