44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e | Triage

Sharing

General

Target

44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat
Size

330KB
Sample

240529-q5nddsgd6s
MD5

54c448c9e570016b04f3f297447b3504
SHA1

6e0470f78a958153b513301505ff9379a2a625a0
SHA256

44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e
SHA512

a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6
SSDEEP

6144:qjP2m4Zg7LMk5EB11YdkawH8vlP+JamAtdQbCEk+ajFbkDUJEc+cEPMPonbK0v/b:qSm6g7LL6L/1HklP+szy+Fbkk5xwMAn7

Score

8^/10

execution persistence

Malware Config

Targets

- Target
  
  44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat
- Size
  
  330KB
- MD5
  
  54c448c9e570016b04f3f297447b3504
- SHA1
  
  6e0470f78a958153b513301505ff9379a2a625a0
- SHA256
  
  44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e
- SHA512
  
  a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6
- SSDEEP
  
  6144:qjP2m4Zg7LMk5EB11YdkawH8vlP+JamAtdQbCEk+ajFbkDUJEc+cEPMPonbK0v/b:qSm6g7LL6L/1HklP+szy+Fbkk5xwMAn7
Score

8^/10

execution persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

executionpersistence