115b2073a7c29d29306c610994e0ba4f488ac5edc86521d30f1033c8ad71ad23

General

Target

MotherRAN.bat
Size

4KB
MD5

ada36d05b12d42f0426bf94c93760bd7
SHA1

3ed79b64085751c60c7f407a38717b16d1ba34ac
SHA256

115b2073a7c29d29306c610994e0ba4f488ac5edc86521d30f1033c8ad71ad23
SHA512

572822141351c3134c78027b7044a4e474b24cdc9a85b94519ecaea19f56428be44e4a3bb7022c314b6845400913c9ba76056b7813ad79807a28162b9ffff167
SSDEEP

48:m7E1kYwzrDtXKTIuVfO1Z/7u0OU9XjXXjonXjtXjeXj0XjEwXfVfc+vVaElNghbo:bA9j4ZEaEeAh8GadKrJ5FKRVIK+m

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\SystemFolder\\InfectionMaster3000.bat"	reg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InfectionMaster3000 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SystemFolder\\InfectionMaster3000.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InfectionMaster3000 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SystemFolder\\InfectionMaster3000.bat"	reg.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3216	4356	cmd.exe	83
PID 4356 wrote to memory of 3216	4356	cmd.exe	83
PID 4356 wrote to memory of 1104	4356	cmd.exe	84
PID 4356 wrote to memory of 1104	4356	cmd.exe	84
PID 4356 wrote to memory of 3480	4356	cmd.exe	85
PID 4356 wrote to memory of 3480	4356	cmd.exe	85
PID 4356 wrote to memory of 4472	4356	cmd.exe	86
PID 4356 wrote to memory of 4472	4356	cmd.exe	86
PID 4356 wrote to memory of 5040	4356	cmd.exe	87
PID 4356 wrote to memory of 5040	4356	cmd.exe	87
PID 4356 wrote to memory of 1300	4356	cmd.exe	88
PID 4356 wrote to memory of 1300	4356	cmd.exe	88
PID 4356 wrote to memory of 2776	4356	cmd.exe	89
PID 4356 wrote to memory of 2776	4356	cmd.exe	89
PID 4356 wrote to memory of 704	4356	cmd.exe	90
PID 4356 wrote to memory of 704	4356	cmd.exe	90
PID 4356 wrote to memory of 2904	4356	cmd.exe	91
PID 4356 wrote to memory of 2904	4356	cmd.exe	91
PID 4356 wrote to memory of 1008	4356	cmd.exe	92
PID 4356 wrote to memory of 1008	4356	cmd.exe	92
PID 4356 wrote to memory of 2648	4356	cmd.exe	93
PID 4356 wrote to memory of 2648	4356	cmd.exe	93

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1300	attrib.exe
2776	attrib.exe
3216	attrib.exe
1104	attrib.exe
3480	attrib.exe
4472	attrib.exe
5040	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MotherRAN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\SystemFolder"
  2⤵
  - Views/modifies file attributes
  PID:3216
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:1104
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:3480
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Recent\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:4472
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Desktop\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:5040
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Pictures\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:1300
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Documents\InfectionMaster3000.bat"
  2⤵
  - Views/modifies file attributes
  PID:2776
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v InfectionMaster3000 /d "C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat" /f
  2⤵
  - Adds Run key to start application
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v InfectionMaster3000 /d "C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat" /f
  2⤵
  - Adds Run key to start application
  PID:2904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat" /f
  2⤵
  - Modifies WinLogon for persistence
  PID:1008
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell" /d "cmd.exe /k C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat" /f
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SystemFolder\InfectionMaster3000.bat

Filesize
1KB

MD5
bae8c97eb14f7edec81abdbb91a08481

SHA1
b806cd70b1aca76db2d3333aac337e761a6214b7

SHA256
47537c8e7ff3061ba6eef0442886b7a8e33beaaa713b88b8234e8a176ad82730

SHA512
c55508ffbef3d6eeb17f1ed80072329c216092387316f8d0f7acd7acc2af0b83c48ed9437991e2222c9a091099895b1069ec019cfd7c214ebd18841cdf566527

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads