Analysis
-
max time kernel
95s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Batch/Apps/FraxWare.bat
Resource
win7-20240729-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Batch/Apps/FraxWare.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
Batch/Apps/winrar-x64-701.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
Batch/Apps/winrar-x64-701.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral5
Sample
Batch/IncogApp.bat
Resource
win7-20241010-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Batch/IncogApp.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
Batch/Apps/FraxWare.bat
-
Size
1KB
-
MD5
0ad1ce56f08875fa9e08561c2bf9f2ed
-
SHA1
c9d4d45aae0626cca88fbafdf1a0e0671b99864f
-
SHA256
7c52ff38ae4e6f517209e0481c1e8efebfa61006f9b7ba74a72ab397b12fd84b
-
SHA512
aea1e664884014ff7f92f6308f9ac3b2d1ef43fbaab5df16280485138e7b07182c7555337e397d851b27093a65a0404bcb58c2c40aa223d8d46672074cb0dc8b
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3152 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3544 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4004 WMIC.exe Token: SeSecurityPrivilege 4004 WMIC.exe Token: SeTakeOwnershipPrivilege 4004 WMIC.exe Token: SeLoadDriverPrivilege 4004 WMIC.exe Token: SeSystemProfilePrivilege 4004 WMIC.exe Token: SeSystemtimePrivilege 4004 WMIC.exe Token: SeProfSingleProcessPrivilege 4004 WMIC.exe Token: SeIncBasePriorityPrivilege 4004 WMIC.exe Token: SeCreatePagefilePrivilege 4004 WMIC.exe Token: SeBackupPrivilege 4004 WMIC.exe Token: SeRestorePrivilege 4004 WMIC.exe Token: SeShutdownPrivilege 4004 WMIC.exe Token: SeDebugPrivilege 4004 WMIC.exe Token: SeSystemEnvironmentPrivilege 4004 WMIC.exe Token: SeRemoteShutdownPrivilege 4004 WMIC.exe Token: SeUndockPrivilege 4004 WMIC.exe Token: SeManageVolumePrivilege 4004 WMIC.exe Token: 33 4004 WMIC.exe Token: 34 4004 WMIC.exe Token: 35 4004 WMIC.exe Token: 36 4004 WMIC.exe Token: SeIncreaseQuotaPrivilege 4004 WMIC.exe Token: SeSecurityPrivilege 4004 WMIC.exe Token: SeTakeOwnershipPrivilege 4004 WMIC.exe Token: SeLoadDriverPrivilege 4004 WMIC.exe Token: SeSystemProfilePrivilege 4004 WMIC.exe Token: SeSystemtimePrivilege 4004 WMIC.exe Token: SeProfSingleProcessPrivilege 4004 WMIC.exe Token: SeIncBasePriorityPrivilege 4004 WMIC.exe Token: SeCreatePagefilePrivilege 4004 WMIC.exe Token: SeBackupPrivilege 4004 WMIC.exe Token: SeRestorePrivilege 4004 WMIC.exe Token: SeShutdownPrivilege 4004 WMIC.exe Token: SeDebugPrivilege 4004 WMIC.exe Token: SeSystemEnvironmentPrivilege 4004 WMIC.exe Token: SeRemoteShutdownPrivilege 4004 WMIC.exe Token: SeUndockPrivilege 4004 WMIC.exe Token: SeManageVolumePrivilege 4004 WMIC.exe Token: 33 4004 WMIC.exe Token: 34 4004 WMIC.exe Token: 35 4004 WMIC.exe Token: 36 4004 WMIC.exe Token: SeIncreaseQuotaPrivilege 2972 WMIC.exe Token: SeSecurityPrivilege 2972 WMIC.exe Token: SeTakeOwnershipPrivilege 2972 WMIC.exe Token: SeLoadDriverPrivilege 2972 WMIC.exe Token: SeSystemProfilePrivilege 2972 WMIC.exe Token: SeSystemtimePrivilege 2972 WMIC.exe Token: SeProfSingleProcessPrivilege 2972 WMIC.exe Token: SeIncBasePriorityPrivilege 2972 WMIC.exe Token: SeCreatePagefilePrivilege 2972 WMIC.exe Token: SeBackupPrivilege 2972 WMIC.exe Token: SeRestorePrivilege 2972 WMIC.exe Token: SeShutdownPrivilege 2972 WMIC.exe Token: SeDebugPrivilege 2972 WMIC.exe Token: SeSystemEnvironmentPrivilege 2972 WMIC.exe Token: SeRemoteShutdownPrivilege 2972 WMIC.exe Token: SeUndockPrivilege 2972 WMIC.exe Token: SeManageVolumePrivilege 2972 WMIC.exe Token: 33 2972 WMIC.exe Token: 34 2972 WMIC.exe Token: 35 2972 WMIC.exe Token: 36 2972 WMIC.exe Token: SeIncreaseQuotaPrivilege 2972 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3544 4600 cmd.exe 83 PID 4600 wrote to memory of 3544 4600 cmd.exe 83 PID 4600 wrote to memory of 4004 4600 cmd.exe 86 PID 4600 wrote to memory of 4004 4600 cmd.exe 86 PID 4600 wrote to memory of 2972 4600 cmd.exe 87 PID 4600 wrote to memory of 2972 4600 cmd.exe 87 PID 4600 wrote to memory of 3324 4600 cmd.exe 88 PID 4600 wrote to memory of 3324 4600 cmd.exe 88 PID 4600 wrote to memory of 3152 4600 cmd.exe 89 PID 4600 wrote to memory of 3152 4600 cmd.exe 89 PID 4600 wrote to memory of 3700 4600 cmd.exe 90 PID 4600 wrote to memory of 3700 4600 cmd.exe 90 PID 4600 wrote to memory of 1948 4600 cmd.exe 97 PID 4600 wrote to memory of 1948 4600 cmd.exe 97 PID 4600 wrote to memory of 4972 4600 cmd.exe 98 PID 4600 wrote to memory of 4972 4600 cmd.exe 98 PID 4600 wrote to memory of 396 4600 cmd.exe 99 PID 4600 wrote to memory of 396 4600 cmd.exe 99
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Batch\Apps\FraxWare.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:3544
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption, deviceid, name, numberofcores, maxclockspeed, status2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get devicelocator, capacity, speed2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, size, mediaType2⤵PID:3324
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:3152
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product get name, version2⤵PID:3700
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption, deviceid, driverversion2⤵PID:1948
-
-
C:\Windows\System32\Wbem\WMIC.exewmic os get caption, version, architecture2⤵PID:4972
-
-
C:\Windows\system32\whoami.exewhoami2⤵PID:396
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:2688