Analysis
-
max time kernel
88s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-11-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
Batch/Apps/FraxWare.bat
Resource
win11-20241023-en
windows11-21h2-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Batch/Apps/winrar-x64-701.exe
Resource
win11-20241007-en
windows11-21h2-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
Batch/IncogApp.bat
Resource
win11-20241007-en
windows11-21h2-x64
9 signatures
150 seconds
General
-
Target
Batch/Apps/FraxWare.bat
-
Size
1KB
-
MD5
0ad1ce56f08875fa9e08561c2bf9f2ed
-
SHA1
c9d4d45aae0626cca88fbafdf1a0e0671b99864f
-
SHA256
7c52ff38ae4e6f517209e0481c1e8efebfa61006f9b7ba74a72ab397b12fd84b
-
SHA512
aea1e664884014ff7f92f6308f9ac3b2d1ef43fbaab5df16280485138e7b07182c7555337e397d851b27093a65a0404bcb58c2c40aa223d8d46672074cb0dc8b
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 456 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3096 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4428 WMIC.exe Token: SeSecurityPrivilege 4428 WMIC.exe Token: SeTakeOwnershipPrivilege 4428 WMIC.exe Token: SeLoadDriverPrivilege 4428 WMIC.exe Token: SeSystemProfilePrivilege 4428 WMIC.exe Token: SeSystemtimePrivilege 4428 WMIC.exe Token: SeProfSingleProcessPrivilege 4428 WMIC.exe Token: SeIncBasePriorityPrivilege 4428 WMIC.exe Token: SeCreatePagefilePrivilege 4428 WMIC.exe Token: SeBackupPrivilege 4428 WMIC.exe Token: SeRestorePrivilege 4428 WMIC.exe Token: SeShutdownPrivilege 4428 WMIC.exe Token: SeDebugPrivilege 4428 WMIC.exe Token: SeSystemEnvironmentPrivilege 4428 WMIC.exe Token: SeRemoteShutdownPrivilege 4428 WMIC.exe Token: SeUndockPrivilege 4428 WMIC.exe Token: SeManageVolumePrivilege 4428 WMIC.exe Token: 33 4428 WMIC.exe Token: 34 4428 WMIC.exe Token: 35 4428 WMIC.exe Token: 36 4428 WMIC.exe Token: SeIncreaseQuotaPrivilege 4428 WMIC.exe Token: SeSecurityPrivilege 4428 WMIC.exe Token: SeTakeOwnershipPrivilege 4428 WMIC.exe Token: SeLoadDriverPrivilege 4428 WMIC.exe Token: SeSystemProfilePrivilege 4428 WMIC.exe Token: SeSystemtimePrivilege 4428 WMIC.exe Token: SeProfSingleProcessPrivilege 4428 WMIC.exe Token: SeIncBasePriorityPrivilege 4428 WMIC.exe Token: SeCreatePagefilePrivilege 4428 WMIC.exe Token: SeBackupPrivilege 4428 WMIC.exe Token: SeRestorePrivilege 4428 WMIC.exe Token: SeShutdownPrivilege 4428 WMIC.exe Token: SeDebugPrivilege 4428 WMIC.exe Token: SeSystemEnvironmentPrivilege 4428 WMIC.exe Token: SeRemoteShutdownPrivilege 4428 WMIC.exe Token: SeUndockPrivilege 4428 WMIC.exe Token: SeManageVolumePrivilege 4428 WMIC.exe Token: 33 4428 WMIC.exe Token: 34 4428 WMIC.exe Token: 35 4428 WMIC.exe Token: 36 4428 WMIC.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: 36 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 220 wrote to memory of 3096 220 cmd.exe 80 PID 220 wrote to memory of 3096 220 cmd.exe 80 PID 220 wrote to memory of 4428 220 cmd.exe 84 PID 220 wrote to memory of 4428 220 cmd.exe 84 PID 220 wrote to memory of 1796 220 cmd.exe 85 PID 220 wrote to memory of 1796 220 cmd.exe 85 PID 220 wrote to memory of 228 220 cmd.exe 86 PID 220 wrote to memory of 228 220 cmd.exe 86 PID 220 wrote to memory of 456 220 cmd.exe 87 PID 220 wrote to memory of 456 220 cmd.exe 87 PID 220 wrote to memory of 4004 220 cmd.exe 88 PID 220 wrote to memory of 4004 220 cmd.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Batch\Apps\FraxWare.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:3096
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption, deviceid, name, numberofcores, maxclockspeed, status2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get devicelocator, capacity, speed2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, size, mediaType2⤵PID:228
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:456
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product get name, version2⤵PID:4004
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:3744