22f83229ea6dbe8f8e831939dfd7831a7817ac967ccb87afda077d1d47cea4e2

Resubmissions

12/10/2024, 08:42

241012-kl3fbascqa 6

12/10/2024, 08:41

241012-klghvascne 6

Analysis

max time kernel
7s
max time network
0s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driverless-disk.bat
Size

13KB
MD5

49a5f55868a783b754fead973013bbee
SHA1

298c7ecf80b26bd204b709f1a13c6dc0d7747a91
SHA256

22f83229ea6dbe8f8e831939dfd7831a7817ac967ccb87afda077d1d47cea4e2
SHA512

8f7e27e3232137c3622e156595618e8ae19ae29fc9ee75be51ee715b821d3a0320956e84a34502020d88a3ef5b6c45405afb7012fbf96288c2aa4c305236f1d1
SSDEEP

192:dIc4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:bxR9hjF/UnECROBClh9YDpDkSy3inlo

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2384	1308	cmd.exe	30
PID 1308 wrote to memory of 2384	1308	cmd.exe	30
PID 1308 wrote to memory of 2384	1308	cmd.exe	30
PID 2384 wrote to memory of 2992	2384	net.exe	31
PID 2384 wrote to memory of 2992	2384	net.exe	31
PID 2384 wrote to memory of 2992	2384	net.exe	31
PID 1308 wrote to memory of 2596	1308	cmd.exe	32
PID 1308 wrote to memory of 2596	1308	cmd.exe	32
PID 1308 wrote to memory of 2596	1308	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\driverless-disk.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\AppData\Local\Temp\driverless-disk.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-4-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/2596-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2596-7-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-9-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-8-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2596-10-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-11-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download