28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

remover hd.bat
Size

13KB
MD5

0c345568b15f4163d3955388cfa615f4
SHA1

069c7b499e8f68fb90d316d6114440ef762507d6
SHA256

28dc4e8c24c16af0910f3542ec8ae12376e668e45ba310a7f25c87ab4bfb89e8
SHA512

d4619bbb7bfeccf0bb3ea7259fec6a8324aadd544017ee0df0390339d112fd0ced6707d91fc5036faf2c4cbcc9326c4ba57befbbdf909c2306c109acdba6c543
SSDEEP

192:dIo4yR9Y9A/r1/kMUnNLyCYSvGOqHQ28lh9YDpqWkSyt1ninmdKgZ:3xR9hjF/UnECROBClh9YDpDkSy3inlo

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI	powershell.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2924	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1860	2656	cmd.exe	31
PID 2656 wrote to memory of 1860	2656	cmd.exe	31
PID 2656 wrote to memory of 1860	2656	cmd.exe	31
PID 1860 wrote to memory of 2488	1860	net.exe	32
PID 1860 wrote to memory of 2488	1860	net.exe	32
PID 1860 wrote to memory of 2488	1860	net.exe	32
PID 2656 wrote to memory of 2924	2656	cmd.exe	33
PID 2656 wrote to memory of 2924	2656	cmd.exe	33
PID 2656 wrote to memory of 2924	2656	cmd.exe	33
PID 2924 wrote to memory of 2896	2924	powershell.exe	35
PID 2924 wrote to memory of 2896	2924	powershell.exe	35
PID 2924 wrote to memory of 2896	2924	powershell.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\remover hd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\net.exe
  NET FILE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 FILE
    3⤵
    PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell /nologo /noprofile /command "&{[ScriptBlock]::Create((cat """C:\Users\Admin\AppData\Local\Temp\remover hd.bat""") -join [Char[]]10).Invoke(@(&{$args}))}"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\PnPutil.exe
    "C:\Windows\system32\PnPutil.exe" /remove-device SCSI\\ /force
    3⤵
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2924-6-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2924-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-8-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download