Overview

overview

10

Static

static

1

esigned-do...ml.bat

windows7-x64

8

esigned-do...ml.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    esigned-document_eml.bat

  • Size

    2KB

  • MD5

    a0d37228b4ad0ebea6537b99cbcb7ff0

  • SHA1

    cec0438ed7acde6a177bc220df2d4fa94352e539

  • SHA256

    e85d8640a62e0d223fe9892384eecb8bb9e67d4bf2fc020881058506b33bec30

  • SHA512

    a4fda2b2adbe591bbfb44fb0949becf75349f5255f197008727486f15e0cc18fcdbce6c1d3ba16e65a5e32a5d8ffc857cfa75402975eafedf4c11524d4f1f9ea

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\esigned-document_eml.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$shell = New-Object -ComObject Shell.Application; $shell.MinimizeAll()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1644
    • C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      2⤵
        PID:2820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$shell = New-Object -ComObject Shell.Application; $shell.MinimizeAll()"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process 'https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11&be=SN6PR04MB4014&fe=JNAP275CA0040.ZAFP275.PROD.OUTLOOgK.COM&loc=en-US&itemID=E4E_M_e9df154a-e4b8-4486-8aec-7acceeb93fee'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/Encryption/ErrorPage.aspx?src=3&code=11&be=SN6PR04MB4014&fe=JNAP275CA0040.ZAFP275.PROD.OUTLOOgK.COM&loc=en-US&itemID=E4E_M_e9df154a-e4b8-4486-8aec-7acceeb93fee
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2204
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:930824 /prefetch:2
            4⤵
              PID:1584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest -Uri 'https://javadl.oracle.com/webapps/download/AutoDL?BundleId=250111_d8aa705069af427f9b83e66b34f5e380' -OutFile 'C:\Temp\JavaSetup8u421.exe'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2644
        • C:\Windows\system32\timeout.exe
          timeout /t 45 /nobreak
          2⤵
          • Delays execution with timeout.exe
          PID:680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        49495c9da8554f22c7359c678e5789ce

        SHA1

        2450df59ef3dfc04f2a936f3fb79815415050869

        SHA256

        2eade2476ddb8391c18cb7ef92f48d2835b3ac61bd2e6bc786134e1153c0b117

        SHA512

        7a9708e9503944cbcb568e877ef051a8cb279d8139add5063383df405afc0af3c45c2db4bdb3ec86b9bf9d3ef05b14c9987ef31eed3bd4cb4360aaf3545dccd3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a62f04634cc2ee2a9b85d3cb3d9a12eb

        SHA1

        c3054b9f4bb285b6c6446ae304d1ce9b53b0fbe0

        SHA256

        aefeacc76c31b0a4d36828cfa8ad1a6aaef44f2ca74ff65ded2854a1f8616a95

        SHA512

        58e201501610032e2512adfa5884980b6112d379193f9c182447a1e9147186db4b3569c47158f500edebe664e16edb63d5e7983988b4e6187c1634658b4b9df6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8d59899b4a875e6e6666f6b7f1f5a721

        SHA1

        264850ed95c750c5ad1e927045d82c33e6ef0c5a

        SHA256

        2c8ab1a96ce6cf6aa59719c02671c974f414515d2dbc613a0cee2f6231a7b21e

        SHA512

        42d1da2daa781e3ddac511bedc3b5f2140337572bc9f595043ec0c9aa8d5b9f8835ce50012d511336527d036483ddc7cd66868fb0e29b7e738bdeb6685474ff1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e9feb56e062bbb018b83e65a4f660a39

        SHA1

        87048af278c818ceca6c41a56e2ccd3a112f1777

        SHA256

        032828081bf9b148c2e16eeb22bf3755a2bc95c632c4005715f421dd03a66255

        SHA512

        a626359bee36ef28fabfd78b5cbafc1c767ec17f18f4c9175532b4bd0638990af66fbde2110302278b566a210b56664617cd2d57befdf1210c12620690ceaa88

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        80805c68fe733231c1dbe769a52e485f

        SHA1

        a7cd01150f5a95be822de608c67bbbddad862af0

        SHA256

        d57446e9eed21ee7f246b78b3d9d420270338b05ab1808b85d95f019dfaeaf7d

        SHA512

        7d3b06ad01c86aeaeb8e58e7b8405fb6ba081c1456fa1da480c2a7db78d41c1202dca80d4880e27ab85c71ddd1dd99d51776b7bb85a263687741595cca5d8520

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        0619c7ad0109450305434cf8731f04f5

        SHA1

        a33f9d9b0b928d21a020ec3256a3855ca1f19c38

        SHA256

        536b55233f1e989f713c4768af61d6f99a5679629727137148145a79a026a59e

        SHA512

        c91b73dd71055dd5c1fe9d3d4c8edb442ed9ff8163e4b600bac7e150ca575087374bbb6ac3e2f1ed95275ae5b100ba1454946af3a7f21d6a9b7cf4b2aede8835

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7f2edf331835693e187007dc38683c2f

        SHA1

        0b762d4cae27f47aa7b5a145d47f9d7faa0834d9

        SHA256

        8c9eaca6a8a60022e1ee77c01fe3a25287c29daa23b06bcd238aed5e59516686

        SHA512

        6d6c1bf670db69095580afc6ac7581817d65aafb20b625232a57f73c987832505288f32745122daa97c4372c603cecc9668ee3e80792aaa70e345ac1e8b06972

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        da2797f5b3e587986ec35eb209bce58a

        SHA1

        becb9dd6e312d491a83491d93416096d35bfc651

        SHA256

        393ac059d94c771ffeedc92f0531c02f78d7166cd47f91ab208f7c43e654a3ec

        SHA512

        9c320784a521011e6f4605112f5871350fa62907f3c2d253695625e9ff136260778909d75911bf2c9d4245e3493a518a5a839cac750e502b81717076e3db2786

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabC14D.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarC16F.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~DFF6574040944BD0F5.TMP
        Filesize

        16KB

        MD5

        4246afa7fabaacae805a7f2fd61b6874

        SHA1

        03336e9209cee78ab3140393c98ed96c4459bd36

        SHA256

        557448d6a01243244657745741a30455ec458f7b2ee195b46365c03c418a8029

        SHA512

        c630c57581abc0bdfebe32694061b581e179815ca17c5323ea4a14ea36f2d3cff7b5cf43ed67252a51628966663020d270b00af627c31b419f82e1fe1bf66c52

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        ef70a17fc07ca9020dc0e104974c7178

        SHA1

        3c0320b07dd6736f69ed5a15c04063fbdabb7ba8

        SHA256

        99212314d302a7a0f2c8c0ac17a9605311900bd2b0bae7bb9fc6a79ac2270da1

        SHA512

        06950ba25b813bd24e054ccec0d9462e68900a8b9cb0b774149f7eaee4df663838130e64f6fe0b389ec723553f427fba8a7314c587963f3f19c0d954dee69a46

        Download Submit

      • memory/1644-9-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1644-11-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1644-10-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1644-4-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1644-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1644-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1644-7-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1644-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2872-18-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2872-17-0x000000001B550000-0x000000001B832000-memory.dmp

        Filesize

        2.9MB

        Download