Analysis
-
max time kernel
32s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Batch/Apps/FraxWare.bat
Resource
win7-20240729-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Batch/Apps/FraxWare.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
Batch/Apps/winrar-x64-701.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
Batch/Apps/winrar-x64-701.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral5
Sample
Batch/IncogApp.bat
Resource
win7-20241010-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Batch/IncogApp.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
Batch/Apps/FraxWare.bat
-
Size
1KB
-
MD5
0ad1ce56f08875fa9e08561c2bf9f2ed
-
SHA1
c9d4d45aae0626cca88fbafdf1a0e0671b99864f
-
SHA256
7c52ff38ae4e6f517209e0481c1e8efebfa61006f9b7ba74a72ab397b12fd84b
-
SHA512
aea1e664884014ff7f92f6308f9ac3b2d1ef43fbaab5df16280485138e7b07182c7555337e397d851b27093a65a0404bcb58c2c40aa223d8d46672074cb0dc8b
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2832 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2216 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2216 2744 cmd.exe 31 PID 2744 wrote to memory of 2216 2744 cmd.exe 31 PID 2744 wrote to memory of 2216 2744 cmd.exe 31 PID 2744 wrote to memory of 2864 2744 cmd.exe 34 PID 2744 wrote to memory of 2864 2744 cmd.exe 34 PID 2744 wrote to memory of 2864 2744 cmd.exe 34 PID 2744 wrote to memory of 3028 2744 cmd.exe 35 PID 2744 wrote to memory of 3028 2744 cmd.exe 35 PID 2744 wrote to memory of 3028 2744 cmd.exe 35 PID 2744 wrote to memory of 3012 2744 cmd.exe 36 PID 2744 wrote to memory of 3012 2744 cmd.exe 36 PID 2744 wrote to memory of 3012 2744 cmd.exe 36 PID 2744 wrote to memory of 2832 2744 cmd.exe 37 PID 2744 wrote to memory of 2832 2744 cmd.exe 37 PID 2744 wrote to memory of 2832 2744 cmd.exe 37 PID 2744 wrote to memory of 2624 2744 cmd.exe 38 PID 2744 wrote to memory of 2624 2744 cmd.exe 38 PID 2744 wrote to memory of 2624 2744 cmd.exe 38 PID 2744 wrote to memory of 1836 2744 cmd.exe 40 PID 2744 wrote to memory of 1836 2744 cmd.exe 40 PID 2744 wrote to memory of 1836 2744 cmd.exe 40 PID 2744 wrote to memory of 1612 2744 cmd.exe 41 PID 2744 wrote to memory of 1612 2744 cmd.exe 41 PID 2744 wrote to memory of 1612 2744 cmd.exe 41 PID 2744 wrote to memory of 2164 2744 cmd.exe 42 PID 2744 wrote to memory of 2164 2744 cmd.exe 42 PID 2744 wrote to memory of 2164 2744 cmd.exe 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Batch\Apps\FraxWare.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2216
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption, deviceid, name, numberofcores, maxclockspeed, status2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get devicelocator, capacity, speed2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, size, mediaType2⤵PID:3012
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:2832
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product get name, version2⤵PID:2624
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption, deviceid, driverversion2⤵PID:1836
-
-
C:\Windows\System32\Wbem\WMIC.exewmic os get caption, version, architecture2⤵PID:1612
-
-
C:\Windows\system32\whoami.exewhoami2⤵PID:2164
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:840