4255bb71cc76e2c7365518f3a95821529cac1a78db74caa7fbb7bdf5b7e500bf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-de
resource tags

arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
submitted
11-06-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

openme.bat
Size

1KB
MD5

f88ca05dc6442d0a12261fe0ea68d0be
SHA1

fd833e7545db8c6aa466e16b20ccf912702a9063
SHA256

4255bb71cc76e2c7365518f3a95821529cac1a78db74caa7fbb7bdf5b7e500bf
SHA512

808d6d0ef6bdf6a8222031abce6fb78462b518a8f91e5e3fe311700fe1fbb29c092950ab0b66698f10ffb305a1dffd65c950ab2eb27e4da3d630473f9abbeaad

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyLogger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KeyLogger\\run.bat"	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4388	396	cmd.exe	81
PID 396 wrote to memory of 4388	396	cmd.exe	81
PID 396 wrote to memory of 752	396	cmd.exe	82
PID 396 wrote to memory of 752	396	cmd.exe	82
PID 752 wrote to memory of 4140	752	cmd.exe	84
PID 752 wrote to memory of 4140	752	cmd.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\openme.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v KeyLogger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat" /f
  2⤵
  - Adds Run key to start application
  PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\KeyLogger\logger.vbs"
    3⤵
    PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeyLogger\logger.vbs

Filesize
345B

MD5
7209372a5ec3777ccb0697f201e5e2c1

SHA1
e08f35127bc2ba8c95d81e9ea1cf32b823ff229f

SHA256
32f67126374daebbf91caecaeb6305ba312250cb786e2eed25fef5974f82b407

SHA512
0ec6e8b3625623c4e964557ed667369f15a0457083f18c4b1b807abffa1d2ce1f699087645d810849a9e9d0085d14a9625507ca623232b91dd7f3ef6b15ad625

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyLogger\run.bat

Filesize
88B

MD5
b263bae13d065815283a9562d9b45411

SHA1
d59e9b79d38103e1c2c4dc331aeae3d8608d8fd0

SHA256
a2ea72fa102560ec15a7ad0eb03242a98dbc743d52fa5d09489008c9001a6265

SHA512
8201d56eda8e50fe9bde550c1a50d394d1bc8405d8d865a9986e3f32749d5b08ae198367cd7f7f3520790037472c1c077f17a2484845e35a981fb0f4e4559c04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads