4255bb71cc76e2c7365518f3a95821529cac1a78db74caa7fbb7bdf5b7e500bf

Analysis

max time kernel
45s
max time network
17s
platform
windows7_x64
resource
win7-20240221-de
resource tags

arch:x64arch:x86image:win7-20240221-delocale:de-deos:windows7-x64systemwindows
submitted
11/06/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

openme.bat
Size

1KB
MD5

f88ca05dc6442d0a12261fe0ea68d0be
SHA1

fd833e7545db8c6aa466e16b20ccf912702a9063
SHA256

4255bb71cc76e2c7365518f3a95821529cac1a78db74caa7fbb7bdf5b7e500bf
SHA512

808d6d0ef6bdf6a8222031abce6fb78462b518a8f91e5e3fe311700fe1fbb29c092950ab0b66698f10ffb305a1dffd65c950ab2eb27e4da3d630473f9abbeaad

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyLogger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KeyLogger\\run.bat"	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2624	2600	cmd.exe	29
PID 2600 wrote to memory of 2624	2600	cmd.exe	29
PID 2600 wrote to memory of 2624	2600	cmd.exe	29
PID 2600 wrote to memory of 2628	2600	cmd.exe	30
PID 2600 wrote to memory of 2628	2600	cmd.exe	30
PID 2600 wrote to memory of 2628	2600	cmd.exe	30
PID 2628 wrote to memory of 2564	2628	cmd.exe	32
PID 2628 wrote to memory of 2564	2628	cmd.exe	32
PID 2628 wrote to memory of 2564	2628	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\openme.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v KeyLogger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat" /f
  2⤵
  - Adds Run key to start application
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\KeyLogger\logger.vbs"
    3⤵
    PID:2564

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeyLogger\logger.vbs

Filesize
345B

MD5
7209372a5ec3777ccb0697f201e5e2c1

SHA1
e08f35127bc2ba8c95d81e9ea1cf32b823ff229f

SHA256
32f67126374daebbf91caecaeb6305ba312250cb786e2eed25fef5974f82b407

SHA512
0ec6e8b3625623c4e964557ed667369f15a0457083f18c4b1b807abffa1d2ce1f699087645d810849a9e9d0085d14a9625507ca623232b91dd7f3ef6b15ad625

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyLogger\logger.vbs

Filesize
298B

MD5
a2b871c0ca5026c0a6e77300db7a1ef4

SHA1
169ef01e91e0156a3e185a8ef4af9b5c40873e56

SHA256
0b4ec8528e33aa4cf8c9e8356f5835a170db12c139a0a63c81f2f9158eef6553

SHA512
b5a3664cfd4dfd1c98c2476ffb1ce3d0d9bd0cf44506679ba44f69ae794ae4e0f45fab6a1d35e91c4b8e9fc67226abae9057735c7e4df6ef0a47525e4c3b3452

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat

Filesize
88B

MD5
b263bae13d065815283a9562d9b45411

SHA1
d59e9b79d38103e1c2c4dc331aeae3d8608d8fd0

SHA256
a2ea72fa102560ec15a7ad0eb03242a98dbc743d52fa5d09489008c9001a6265

SHA512
8201d56eda8e50fe9bde550c1a50d394d1bc8405d8d865a9986e3f32749d5b08ae198367cd7f7f3520790037472c1c077f17a2484845e35a981fb0f4e4559c04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads