Overview

overview

9

Static

static

7

Defender_Settings.vbs

windows7-x64

1

Defender_Settings.vbs

windows10-2004-x64

1

dControl.exe

windows7-x64

7

dControl.exe

windows10-2004-x64

7

Flexlm/RLM...er.exe

windows7-x64

9

Flexlm/RLM...er.exe

windows10-2004-x64

9

Flexlm/RLM...de.dll

windows7-x64

1

Flexlm/RLM...de.dll

windows10-2004-x64

1

Flexlm/RLM...ft.bat

windows7-x64

5

Flexlm/RLM...ft.bat

windows10-2004-x64

5

Flexlm/RLM...ft.bat

windows7-x64

8

Flexlm/RLM...ft.bat

windows10-2004-x64

8

block-network.bat

windows7-x64

1

block-network.bat

windows10-2004-x64

1

clean-befo...ll.bat

windows7-x64

8

clean-befo...ll.bat

windows10-2004-x64

8

exe/VC.dll

windows7-x64

1

exe/VC.dll

windows10-2004-x64

1

exe/VCRUNTIME140.dll

windows7-x64

9

exe/VCRUNTIME140.dll

windows10-2004-x64

9

exe/version.dll

windows7-x64

9

exe/version.dll

windows10-2004-x64

9

prs/version.dll

windows7-x64

9

prs/version.dll

windows10-2004-x64

9

Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flexlm/RLM_Redshift_LicServer/stop_rlm_Redshift.bat

  • Size

    871B

  • MD5

    dd42a41304b17ecffaed8c5c41a425cc

  • SHA1

    08facc23eb93a58b816384533e4c16c975bdeabd

  • SHA256

    ecd34db7e7aff5aa843f048b64f76ad19c4123d6d77616855a8613eb0c111458

  • SHA512

    ca8c16242aed2b842d6e7859109d4ea5c9efb435773af0b52304f9531274f57b50883ea6950e2672ec5fc3dd3f7503f57e04d21122b5417d3e6a7e398245bfd9

Score
8/10
discoveryevasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Flexlm\RLM_Redshift_LicServer\stop_rlm_Redshift.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\system32\net.exe
      C:\Windows\system32\net stop RLM-Redshift
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop RLM-Redshift
        3⤵
          PID:992
      • C:\Windows\system32\tasklist.exe
        tasklist
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3316
      • C:\Windows\system32\find.exe
        find /i "CGHotman_Redshift_Server.exe"
        2⤵
          PID:5096
        • C:\Windows\system32\sc.exe
          SC delete RLM-Redshift
          2⤵
          • Launches sc.exe
          PID:2348
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
        1⤵
          PID:4904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads