Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 10:40
Behavioral task
behavioral1
Sample
ICICIPAYMENTREFERENCE.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ICICIPAYMENTREFERENCE.bat.exe
Resource
win10v2004-20241007-en
General
-
Target
ICICIPAYMENTREFERENCE.bat.exe
-
Size
500KB
-
MD5
1c0a0f8af63ae1d01f674a15445bc38a
-
SHA1
4b224a051f75ea361c525f3c64d5a50be03ec0e4
-
SHA256
10bc8552d9b63666e0788161c13213c7275fdf6a0c4d3ba3d155036be3f4222d
-
SHA512
45f5b2df88ad94637552bfd2e1b152778d54bb21a3a2bf5052d688cfa74344a29c75ed1af8990620ffe752d793ac270fe449f35ea6cffa20f24195e56b962fa5
-
SSDEEP
12288:zPCKUFlhDzgX/m46A9jmP/uhu/yMS08CkntxYR:zPvslhDWxfmP/UDMS08Ckn3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ICICIPAYMENTREFERENCE.bat.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICICIPAYMENTREFERENCE.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ICICIPAYMENTREFERENCE.bat.exepid process 876 ICICIPAYMENTREFERENCE.bat.exe 876 ICICIPAYMENTREFERENCE.bat.exe 876 ICICIPAYMENTREFERENCE.bat.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ICICIPAYMENTREFERENCE.bat.exedescription pid process target process PID 876 wrote to memory of 1816 876 ICICIPAYMENTREFERENCE.bat.exe cmd.exe PID 876 wrote to memory of 1816 876 ICICIPAYMENTREFERENCE.bat.exe cmd.exe PID 876 wrote to memory of 1816 876 ICICIPAYMENTREFERENCE.bat.exe cmd.exe PID 876 wrote to memory of 1816 876 ICICIPAYMENTREFERENCE.bat.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ICICIPAYMENTREFERENCE.bat.exe"C:\Users\Admin\AppData\Local\Temp\ICICIPAYMENTREFERENCE.bat.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵
- System Location Discovery: System Language Discovery
PID:1816
-