Overview

overview

6

Static

static

1

instalator...ki.bat

windows11-21h2-x64

6

Resubmissions

22-08-2024 19:59

240822-yqgw3axfrj 1

22-08-2024 19:56

240822-ynx59sxfjr 6

Analysis

  • max time kernel
    127s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-08-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    instalator mojej paczki.bat

  • Size

    4KB

  • MD5

    f2f70d93b1789c929e7e233541e62c6e

  • SHA1

    9f42eb9e66ce4b6cb6baa9425c965c43e5dbf29f

  • SHA256

    913c6f43c39f4ed8255bc5085c4baaabcdcf7c3a4cef992430adf932e4e5df7e

  • SHA512

    52d05123719032ff3bde96e28a06990d9e8ff11ca57ac8e64f14194664f3b9947757898489318747633646f2da5ac9b7e0923c91a13f7b13bf84827b4b0ae958

  • SSDEEP

    96:cezJtsSsaSvQw4UGxWrhZ4rqcuQjQAmECbvhW5CSklZr4JYLXZPLLLWZAqVqPtDb:bVjWrhZ4rqRFAmECbhrSsZr4JyXZzLCg

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\instalator mojej paczki.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\system32\curl.exe
      curl https://cdn.modrinth.com/data/P7dR8mSH/versions/P7uGFii0/fabric-api-0.92.2B1.20.1.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\fabric-api-0.92.2+1.20.1.jar
      2⤵
        PID:496
      • C:\Windows\system32\curl.exe
        curl https://cdn.modrinth.com/data/AANobbMI/versions/QHGZ9XSU/sodium-fabric-0.5.9Bmc1.20.1.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\sodium-fabric-0.5.8+mc1.20.1.jar
        2⤵
          PID:2052
        • C:\Windows\system32\curl.exe
          curl https://cdn.modrinth.com/data/gvQqBUqZ/versions/ZSNsJrPI/lithium-fabric-mc1.20.1-0.11.2.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\lithium-fabric-md1.20.1-0.11.2.jar
          2⤵
            PID:1168
          • C:\Windows\system32\curl.exe
            curl https://cdn.modrinth.com/data/Orvt0mRa/versions/VlLxDisa/indium-1.0.31Bmc1.20.4.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\indium-1.0.31+mc1.20.4.jar
            2⤵
              PID:3032
            • C:\Windows\system32\curl.exe
              curl https://cdn.modrinth.com/data/YL57xq9U/versions/KHQ2Hnpt/iris-1.7.0Bmc1.20.1.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\iris-1.7.0+mc1.20.1.jar
              2⤵
                PID:1668
              • C:\Windows\system32\curl.exe
                curl https://cdn.modrinth.com/data/1IjD5062/versions/84Zs6tNo/continuity-3.0.0-beta.5B1.20.1.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\continuity-3.0.0-beta.5+1.20.1.jar
                2⤵
                  PID:4160
                • C:\Windows\system32\curl.exe
                  curl https://cdn.modrinth.com/data/lfHFW1mp/versions/OLBYX5jG/journeymap-1.20.1-5.10.1-fabric.jar -o C:\Users\Admin\AppData\Roaming\.minecraft\mods\journeymap-1.20.1-5.10.1-fabric.jar
                  2⤵
                    PID:1096
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:4700
                  • C:\Windows\system32\SearchIndexer.exe
                    C:\Windows\system32\SearchIndexer.exe /Embedding
                    1⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4024
                    • C:\Windows\System32\SearchProtocolHost.exe
                      "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                      2⤵
                      • Modifies data under HKEY_USERS
                      PID:3172
                    • C:\Windows\system32\SearchFilterHost.exe
                      "C:\Windows\system32\SearchFilterHost.exe" 828 2644 2640 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
                      2⤵
                        PID:4800

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\.minecraft\mods\continuity-3.0.0-beta.5+1.20.1.jar
                      Filesize

                      75B

                      MD5

                      ec2c6925a7dafdc0064179af269db092

                      SHA1

                      fef35098cf25319059c52d8d010aa644052d5f3a

                      SHA256

                      c07c66218123240f6e1a8b0871f73279a7449af7040cd0b6d99aa3723d38a11a

                      SHA512

                      f747f7e6fc97fcdea0f3c5a4a1b3749dd8327cd4109863c6ef0351e5df625dfb639b19e480d9d7e89d42b43db45b2364a39f5568f0d5093b7fcfc5141f0ce3b0

                      Download Submit

                    • memory/4024-7-0x000002CCD4C60000-0x000002CCD4C70000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4024-23-0x000002CCD4D60000-0x000002CCD4D70000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4024-39-0x000002CCD9450000-0x000002CCD9458000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4024-41-0x000002CCD9670000-0x000002CCD9678000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4024-42-0x000002CCD9660000-0x000002CCD9661000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4024-44-0x000002CCD9660000-0x000002CCD9668000-memory.dmp

                      Filesize

                      32KB

                      Download