6c7aff1eabc1f9c02ed6ec69d3460427f05a3619a8c191de4df28a9414774946

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 20:58

Target

Payment Note.bat.exe
Size

500KB
MD5

dfa0e8fd2a349c526938b2602947e457
SHA1

4cdc4939fc3feb328a5ad54d4d917e35ccdc9cdf
SHA256

6c7aff1eabc1f9c02ed6ec69d3460427f05a3619a8c191de4df28a9414774946
SHA512

1e09be5b5375246c91004d80fc6bce7ee66256208ccaca3a7776a43a9fa84de644624aebeddc020a43b67846e615d279c9d7e36d06601c1d915d9ea32f5dcf73
SSDEEP

12288:4+Oa75wxpzAZu9r46A9jmP/uhu/yMS08CkntxYR:FR75t1fmP/UDMS08Ckn3

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Payment Note.bat.exe

pid process

1972 Payment Note.bat.exe
1972 Payment Note.bat.exe
1972 Payment Note.bat.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Payment Note.bat.exe

description	pid	process	target process
PID 1972 wrote to memory of 2732	1972	Payment Note.bat.exe	cmd.exe
PID 1972 wrote to memory of 2732	1972	Payment Note.bat.exe	cmd.exe
PID 1972 wrote to memory of 2732	1972	Payment Note.bat.exe	cmd.exe
PID 1972 wrote to memory of 2732	1972	Payment Note.bat.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Payment Note.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Note.bat.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2732

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact