Overview

overview

4

Static

static

1

Script.cmd

windows7-x64

4

Script.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Script.cmd

  • Size

    10KB

  • MD5

    e989bb0ae32b8b75aa8af97e95483602

  • SHA1

    e9c1e12aeb59dd721a068a553f3e24e3239b2d23

  • SHA256

    b885cecbb8978170a237bafb160e92fa6afd65db1c8e2f33098bac5e1712ba25

  • SHA512

    54925f5a5067960d8a27f73bf5e856562765ce317a1497335b9be71d621bf397d7af75760df02f695ed84bd57698077cb89e308a826b053d16c9da76b01f9846

  • SSDEEP

    96:NbQh9YG7IHKryL4jxV+feDPVlpicDwt/dYjxmYPYgBugajMLCeOeEPxS72wusuEQ:Nb3JqryL4jx0GDPVlZHggm7en5UR5

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Script.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:3868
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v SystemRestorePointCreationFrequency /t REG_DWORD /d 0 /f
        2⤵
          PID:1144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Checkpoint-Computer -Description "Utilisation-du-script-de-Kidou" -RestorePointType MODIFY_SETTINGS
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2708
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v SystemRestorePointCreationFrequency /t REG_DWORD /d 1440 /f
          2⤵
            PID:2512
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:4388
        • C:\Windows\system32\srtasks.exe
          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4672

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3frouh3.h02.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2708-0-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2708-6-0x00000230311B0000-0x00000230311D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2708-11-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2708-12-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2708-15-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

          Filesize

          10.8MB

          Download