6d11d8339ed8917190ba15dfbdf12c46d0a9d90b4b680edf54a8c65585e76e74

Resubmissions

26/11/2024, 18:47

241126-xfj31atpdv 6

26/11/2024, 18:46

241126-xe42sazqgq 10

Analysis

max time kernel
17s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/11/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application.bat
Size

1KB
MD5

1f886633d8933efe74279e6519035ac2
SHA1

e0b8ed8660b546dbe6a6cd6808d8ea33569647ea
SHA256

c8bd116c303dbf8c8f539a8353a180a1b5b51d771c820ef176359bf0f194e49e
SHA512

766a3452dc1265defb8168c87d8e187c33f42bfc936aaa061678fc23093a6ca10e32c06038f4e8127c53fddf1c2994550e01e059e4581c6ab6513e2a178a63c4

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	BackgroundTransferHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 6084 wrote to memory of 5200	6084	cmd.exe	80
PID 6084 wrote to memory of 5200	6084	cmd.exe	80

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Application.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:6084
- C:\Users\Admin\AppData\Local\Temp\luajit.exe
  luajit.exe cfg.txt
  2⤵
  PID:5200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5200-55-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-45-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-44-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-2-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-1-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-0-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-63-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-76-0x000001E7F6170000-0x000001E7F6171000-memory.dmp

Filesize
4KB

Download
memory/5200-86-0x000001E7F6180000-0x000001E7F6181000-memory.dmp

Filesize
4KB

Download
memory/5200-85-0x000001E7F6180000-0x000001E7F6181000-memory.dmp

Filesize
4KB

Download
memory/5200-84-0x000001E7F6170000-0x000001E7F6171000-memory.dmp

Filesize
4KB

Download
memory/5200-62-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-61-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-60-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-59-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-58-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-57-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-56-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-54-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-53-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-52-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-51-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-50-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-49-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-48-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-47-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-46-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-43-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-42-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-41-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-40-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-39-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-38-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-37-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-36-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-35-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-34-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-33-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-32-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-31-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-30-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-29-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-28-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-27-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-26-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-25-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-24-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-23-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-22-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-21-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-20-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-19-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-18-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-17-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-16-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-15-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-14-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-13-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-12-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-11-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-10-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-9-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-8-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-7-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-6-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-5-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-4-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download
memory/5200-3-0x00007FFB20C10000-0x00007FFB20C20000-memory.dmp

Filesize
64KB

Download