Analysis
-
max time kernel
155s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
sus.bat
Resource
win7-20240729-en
windows7-x64
7 signatures
300 seconds
General
-
Target
sus.bat
-
Size
262B
-
MD5
43e1aac96df2f4c1a5a82356fe787f7f
-
SHA1
d44e20b7fdab20b9b6924147dc4a4c0b2b11af37
-
SHA256
64c4b723188aecf07f98ffe05d74f8e5597e2c41740edd1bff09eaa3c0f7a539
-
SHA512
5998d05695d32ba030cd1198205d6a275aa3fd0efaed8df27b9b6aa50c9e5a73a249bd1cfcad0cadc8a00d22e7a7db61e4da8f7a2aeb55da0e37b6e956992bb4
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings explorer.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 1968 NOTEPAD.EXE 2880 NOTEPAD.EXE 2928 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: 33 2000 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2000 AUDIODG.EXE Token: 33 2000 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2000 AUDIODG.EXE Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 3048 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe Token: SeShutdownPrivilege 2236 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 3048 explorer.exe 3048 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3048 explorer.exe 3048 explorer.exe 3048 explorer.exe 3048 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe 2236 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\sus.bat"1⤵PID:624
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\virus60\message.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1968
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\virus20\message.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2880
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"1⤵PID:836
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sus.bat" "1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"1⤵PID:1656
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log1⤵
- Opens file in notepad (likely ransom note)
PID:2928
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:2116
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:2788
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:1008
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:1912
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:2948
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:3020
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:1968
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SetupExe(2024072916192591C).log1⤵PID:2600
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18B
MD56a6e4723bafd2f942ad2f82004d44dac
SHA1dd74522bc7cd651220620237bd9624f4e245814f
SHA25663600bff370d8ecd43024de7dd4467899f45e7d2e87c5f5f6cdab249fd6eaa1f
SHA5125e280449917b727b659a42cb5c007eb99a7e24fad816fe11806f51f76895a6791252e5d04304c09ba03eab766b6ef24efb3735cb399b7ab0db8278f4b2ee02b2