Overview

overview

5

Static

static

1

ping.bat

windows7-x64

5

ping.bat

windows10-2004-x64

5

Analysis

  • max time kernel
    18s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 01:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ping.bat

  • Size

    6KB

  • MD5

    c8b0e18093c6933a410e9be9c20ef981

  • SHA1

    efeae5825a50d2235d91a22c686e24a3218bd912

  • SHA256

    b254a1de7c253acce610e4b908b97797794aa5df81a47fe6e94ff48df9dd7d0c

  • SHA512

    0a57bea094c7fd156abe864e380f368911e04d11a562f71924db69624ae4544054b1e95d49364ca444ee93ed6d232ea98fe6d7604278534ccb4d5d751649294a

  • SSDEEP

    96:5r6SjYOAn8RpyxE/KZhUN8Qd3YPUpC4B9DBttB:R6txE/KZhUN8QdIPUpLbT

Score
5/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ping.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\ping.bat' -ArgumentList 'am_admin'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ping.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo"
          4⤵
            PID:4236
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ( set /p="Creating restore point" & echo. )"
            4⤵
              PID:3156
            • C:\Windows\System32\Wbem\WMIC.exe
              Wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "Ping Restore Point", 100, 7
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4944
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process where name="svchost.exe" CALL setpriority "idle"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3264
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Start-Process -Verb RunAs -FilePath 'ping' -ArgumentList 'am_admin'"
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3444
              • C:\Windows\system32\PING.EXE
                "C:\Windows\system32\PING.EXE" am_admin
                5⤵
                • Runs ping.exe
                PID:2452
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4632

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              6cf293cb4d80be23433eecf74ddb5503

              SHA1

              24fe4752df102c2ef492954d6b046cb5512ad408

              SHA256

              b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

              SHA512

              0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              d8b9a260789a22d72263ef3bb119108c

              SHA1

              376a9bd48726f422679f2cd65003442c0b6f6dd5

              SHA256

              d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

              SHA512

              550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqeitf0o.1sh.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • memory/872-0-0x00007FFA4D3D3000-0x00007FFA4D3D5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/872-10-0x000001BD3C900000-0x000001BD3C922000-memory.dmp

              Filesize

              136KB

              Download

            • memory/872-11-0x00007FFA4D3D0000-0x00007FFA4DE91000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/872-12-0x00007FFA4D3D0000-0x00007FFA4DE91000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/872-15-0x00007FFA4D3D0000-0x00007FFA4DE91000-memory.dmp

              Filesize

              10.8MB

              Download