Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 06:33
Behavioral task
behavioral1
Sample
Chara/Run.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Chara/Run.bat
Resource
win10v2004-20241007-en
General
-
Target
Chara/Run.bat
-
Size
55B
-
MD5
953afedf73e9fd5cbd5dbcd0920aba23
-
SHA1
b5b55fc17f8f6ab01a13e07fd9a5d9565660ac86
-
SHA256
ec96730cd5760f76624c76d0c318095c8baebf131a457ce0e7f06169e01bc8d8
-
SHA512
56f17fe591313dbd4d97a360b6f0c824e841270c6c456475ebe45f5a307dfc4b5bc6b3c4f1e9696ed2dff525586debc6cf0e95a86d755ab25fd83cdd6f32c421
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wscript.exe -
pid Process 184 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 184 powershell.exe 184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 184 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4420 wrote to memory of 4564 4420 cmd.exe 87 PID 4420 wrote to memory of 4564 4420 cmd.exe 87 PID 4564 wrote to memory of 184 4564 wscript.exe 88 PID 4564 wrote to memory of 184 4564 wscript.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Chara\Run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\system32\wscript.exewscript.exe InjectStart.vbs2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File ".\HackTool\Y0k9j8h76g5f4d3sdf56g7h8j9k.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82