Overview

overview

9

Static

static

7

988f5cc56c...4f.exe

windows7-x64

9

988f5cc56c...4f.exe

windows10-2004-x64

9

$DESKTOP/�...��.bat

windows7-x64

1

$DESKTOP/�...��.bat

windows10-2004-x64

1

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDI...tp.dll

windows7-x64

1

$PLUGINSDI...tp.dll

windows10-2004-x64

1

TigerHwidTool.exe

windows7-x64

9

TigerHwidTool.exe

windows10-2004-x64

9

spiderman.bat

windows7-x64

8

spiderman.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $DESKTOP/查看机器码.bat

  • Size

    1KB

  • MD5

    4a027f0c86eb9614e81af680b2475499

  • SHA1

    ca79f5c7789ffd01af9c00d20f15b1077e55fc15

  • SHA256

    6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050

  • SHA512

    169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$DESKTOP\查看机器码.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\system32\mode.com
      mode con cols=85 lines=90
      2⤵
        PID:1780
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\system32\reg.exe
          reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
          3⤵
          • Enumerates system info in registry
          PID:332
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3684
        • C:\Windows\system32\reg.exe
          reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
          3⤵
          • Enumerates system info in registry
          PID:1864
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic csproduct get Name
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4744
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive get serialnumber
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get serialnumber
        2⤵
          PID:4464
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic bios get serialnumber
          2⤵
            PID:2784
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic baseboard get serialnumber
            2⤵
              PID:3756
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic csproduct get uuid
              2⤵
                PID:1944
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Windows\system32\ipconfig.exe
                  ipconfig /all
                  3⤵
                  • Gathers network information
                  PID:4540
                • C:\Windows\system32\findstr.exe
                  findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
                  3⤵
                    PID:2592
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
                  2⤵
                    PID:2072

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads