Overview

overview

8

Static

static

1

Auto updater.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 13:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Auto updater.bat

  • Size

    1KB

  • MD5

    dfd7107971e4deff0f0f1feca2c3470b

  • SHA1

    c693c9b3b21adec2149b22433307f9f258fe5412

  • SHA256

    d791a700143b69332f728749bfe1999094c2a9e7e1927ad33672b6ca2ed3c308

  • SHA512

    7e74df643af6caa068b6fec467533a6e54791cd05e4fff38384be3b54217c435599241572b244cfd8d9e71650d0e1bbd7eafc429077c115458037f19c46286d1

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Auto updater.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command " if (Get-Process -Name '(' -ErrorAction SilentlyContinue) { taskkill /F /IM '(' } ; if (-not (Get-Content 'C:\Windows\System32\drivers\etc\hosts' | Select-String '(')) { Add-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Value '127.0.0.1 (' } ; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2072
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdlozps2.yh3.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2072-0-0x00007FF82DA93000-0x00007FF82DA95000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2072-1-0x0000016221460000-0x0000016221482000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2072-11-0x00007FF82DA90000-0x00007FF82E551000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2072-12-0x00007FF82DA90000-0x00007FF82E551000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2072-13-0x00007FF82DA90000-0x00007FF82E551000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2072-16-0x00007FF82DA90000-0x00007FF82E551000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4928-19-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-17-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-18-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-29-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-28-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-27-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-26-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-25-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-24-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-23-0x000002EB31B00000-0x000002EB31B01000-memory.dmp

          Filesize

          4KB

          Download