Analysis
-
max time kernel
15s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 06:31
Behavioral task
behavioral1
Sample
Chara/Run.bat
Resource
win7-20240708-en
General
-
Target
Chara/Run.bat
-
Size
55B
-
MD5
953afedf73e9fd5cbd5dbcd0920aba23
-
SHA1
b5b55fc17f8f6ab01a13e07fd9a5d9565660ac86
-
SHA256
ec96730cd5760f76624c76d0c318095c8baebf131a457ce0e7f06169e01bc8d8
-
SHA512
56f17fe591313dbd4d97a360b6f0c824e841270c6c456475ebe45f5a307dfc4b5bc6b3c4f1e9696ed2dff525586debc6cf0e95a86d755ab25fd83cdd6f32c421
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 pastebin.com 29 pastebin.com -
pid Process 3676 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3676 powershell.exe 3676 powershell.exe 2376 msedge.exe 2376 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3676 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2376 2928 cmd.exe 85 PID 2928 wrote to memory of 2376 2928 cmd.exe 85 PID 2376 wrote to memory of 3676 2376 wscript.exe 86 PID 2376 wrote to memory of 3676 2376 wscript.exe 86 PID 3676 wrote to memory of 1664 3676 powershell.exe 103 PID 3676 wrote to memory of 1664 3676 powershell.exe 103 PID 1664 wrote to memory of 1556 1664 msedge.exe 104 PID 1664 wrote to memory of 1556 1664 msedge.exe 104 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 4852 1664 msedge.exe 105 PID 1664 wrote to memory of 2376 1664 msedge.exe 106 PID 1664 wrote to memory of 2376 1664 msedge.exe 106 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107 PID 1664 wrote to memory of 3484 1664 msedge.exe 107
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Chara\Run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\wscript.exewscript.exe InjectStart.vbs2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File ".\HackTool\Y0k9j8h76g5f4d3sdf56g7h8j9k.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/raw/YRdAwctA4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb4bfb46f8,0x7ffb4bfb4708,0x7ffb4bfb47185⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:85⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:15⤵PID:2940
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
5KB
MD552427a90cd5cc60f8a420c051a55a558
SHA1a594d61813f4738f5b35710d0bc33e5428c70774
SHA256cf98e526dae4392ed11fcba1d5c4fcf2cf28b6bb440320bd20c6368a1a75a8a4
SHA5127a520f26a2767c88d63c5fbd2761300f148a3be9aaa5becbe9da1b581f2451b39a2cbee618b0f98d9e26e63df32d1c72340508658c9030bf6f9410f90f5f970c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82