f3150a4f1e4a018809120e96e74486e3632472c26972033705c0a85812b46fc4

Resubmissions

19/09/2024, 16:21

240919-tt2nesydjr 1

19/09/2024, 07:09

240919-hyv6nawfph 6

19/09/2024, 07:08

240919-hynftawhpp 1

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msgBox i see you.bat
Size

27B
MD5

6505a8447891170c99417fb136174f3f
SHA1

3a71642bb64c81ab175aff8d3d45e511fd43159b
SHA256

f3150a4f1e4a018809120e96e74486e3632472c26972033705c0a85812b46fc4
SHA512

d11a107fd457b0c78fa174c370c251e50bf99f302684eab421e517119a73d05e65eebc776b3d1812ac8de2d16b7926cedc6b0162aa5385c8e7cc0f3434ac56cb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	systemreset.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	systemreset.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	systemreset.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3380	systemreset.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	3380	systemreset.exe
Token: SeRestorePrivilege	3380	systemreset.exe
Token: SeSystemEnvironmentPrivilege	3380	systemreset.exe
Token: SeBackupPrivilege	3380	systemreset.exe
Token: SeRestorePrivilege	3380	systemreset.exe
Token: SeSecurityPrivilege	3380	systemreset.exe
Token: SeTakeOwnershipPrivilege	3380	systemreset.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3380	systemreset.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\msgBox i see you.bat"
1⤵
PID:1020

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:164

C:\Windows\system32\systemreset.exe
"C:\Windows\system32\systemreset.exe" -moset
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads