d4dbe1ca6cecfb881a0936160e7faf7e9bf9d3b0ef16e102da2e54b8a67d7e3f

General

Target

call.bat
Size

95B
MD5

1a21106949e3ac7127b53e7fe65eacaf
SHA1

5e958618579101bda420ae96e4010b1df744acb8
SHA256

e25f70642c5c7aa150da11f2b7d9d9d7e04954a26005c6b57ac20864be420dcc
SHA512

9da39c1052e388cfc1348407122ebeac9aae63de0c2060d05f4b7023d93f571a852fb959088b3989b9640bddf8a39c1bdae84db955d1c58db899188103c93942

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
2400	powershell.exe
2400	powershell.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3348	whoami.exe
Token: SeDebugPrivilege	2400	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 340	3540	cmd.exe	67
PID 3540 wrote to memory of 340	3540	cmd.exe	67
PID 3540 wrote to memory of 68	3540	cmd.exe	68
PID 3540 wrote to memory of 68	3540	cmd.exe	68
PID 3540 wrote to memory of 4760	3540	cmd.exe	69
PID 3540 wrote to memory of 4760	3540	cmd.exe	69
PID 3540 wrote to memory of 3724	3540	cmd.exe	70
PID 3540 wrote to memory of 3724	3540	cmd.exe	70
PID 3540 wrote to memory of 4780	3540	cmd.exe	72
PID 3540 wrote to memory of 4780	3540	cmd.exe	72
PID 3540 wrote to memory of 4488	3540	cmd.exe	71
PID 3540 wrote to memory of 4488	3540	cmd.exe	71
PID 3540 wrote to memory of 4592	3540	cmd.exe	73
PID 3540 wrote to memory of 4592	3540	cmd.exe	73
PID 3540 wrote to memory of 1764	3540	cmd.exe	74
PID 3540 wrote to memory of 1764	3540	cmd.exe	74
PID 3540 wrote to memory of 300	3540	cmd.exe	75
PID 3540 wrote to memory of 300	3540	cmd.exe	75
PID 3924 wrote to memory of 3348	3924	powershell.exe	87
PID 3924 wrote to memory of 3348	3924	powershell.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\call.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\mode.com
  mode con:cols=22 lines=2
  2⤵
  PID:340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Desktop\*" /b
  2⤵
  PID:68
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Documents\*" /b
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Music\*" /b
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Downloads\*" /b
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Videos\*" /b
  2⤵
  PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Downloads\*" /b
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Desktop\*" /b
  2⤵
  PID:1764
- C:\Windows\system32\xcopy.exe
  xcopy /E /I C:\Users\Admin\AppData\Local\packages\all\downloads C:\Users\Admin\AppData\Local\packages\all\downloads.enc
  2⤵
  PID:300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
588078e260544dab88fbee7692f534de

SHA1
0a1548eaf60e067eae936992e4e5eadf95c8f442

SHA256
0b51ef56394df4d000177cb05443f2c89099adda26c95d18eac9a6c9f2bed921

SHA512
77e35a9ccc29fc4bf8920c4840f75e4fe5a106763290b099ac105a92d31e8f9ae84eaee075eee2d3a64d0e25b0c5ab7556b827688f7d24bebac8c97fea4f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
6c0473185e17c8cb905b468c1b5bf728

SHA1
8e0f4c34b22ad4f5749aab3635456a4266047473

SHA256
66c1ae60e86ee9d51c33467851fdb4f9e8672442a201dc7c6514dcf78688539c

SHA512
5c3c3e709e525dd3d37cac328d79d9860d75a7198b65169a3581ed2b9de3c55251c5997ac32ef5f902b3f33d3cbe249fcb1cd040ba204aecca5510278c04d141

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Filesize
182B

MD5
466626aa278787e4d863483a39898b7d

SHA1
bbc524d16a06c292f4cdaabaa88fda47f8df7d8e

SHA256
8e05082d4c46b4967de576babc7dfd106369ce37c0f087138871c7558b3f8702

SHA512
cd9f694f2a6c5d2d4ff4b47af0fe5b340a49ed783db506b621421cdd9759d63caf789b8b33a1f2ee22347dfa67639c38a7c915a08c6a050c5d5ca20f12d76aae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Filesize
214B

MD5
806e00b7b5442d118cfa9aa6c3819615

SHA1
9f72312480a6dc1853176c9269c8f14d28065552

SHA256
69cc45d2ec409c211a49ca1aea9acb95046b1e7672559a4b43c09c38a9fe901f

SHA512
a36d53b7067e4ae36127abe4597dbe6e8fa7877f240f722c24219fa78bf8c650c43fcd7b42a856e33e638016057ef5773135e560845fb9936e9a64e890434df8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
1fe87224b16e1e0438ab5035163eaddd

SHA1
9c95bdadfe0fb7085d5b022a2e881d39c5899972

SHA256
df8d99806bd840a8081d239f364c6225418b7ec43bc98f2fa3a5dcfb8fd7156c

SHA512
3f6dfe1e666b0fae5ef7a67b0b9c6060445f390f88c5725593a9eed4ef83629feba25799dc6e1f84ffa67342645bf649ea925836511921e5f62c611e7523d176

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
499c896b3ccbeb4d2213e7a61bf4c6c8

SHA1
d1af8c93144850a71730bfadee25704458664cd5

SHA256
e530c00a40d62892f8e67d0206a515ca95823e7904e35185785fc880886d64bf

SHA512
2c6d44b915ba69db230a235ba2d8ebdecc249f934a325e8f0d9607082cdc9d34a6a4327a2ff5fcfd0c2a84ce65c42286a01b637124c72fdc90ded849cb67cec6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
1fe87224b16e1e0438ab5035163eaddd

SHA1
9c95bdadfe0fb7085d5b022a2e881d39c5899972

SHA256
df8d99806bd840a8081d239f364c6225418b7ec43bc98f2fa3a5dcfb8fd7156c

SHA512
3f6dfe1e666b0fae5ef7a67b0b9c6060445f390f88c5725593a9eed4ef83629feba25799dc6e1f84ffa67342645bf649ea925836511921e5f62c611e7523d176

Download Submit
memory/4968-174-0x000001D5A1FF0000-0x000001D5A200E000-memory.dmp

Filesize
120KB

Download
memory/4968-162-0x000001D5A2500000-0x000001D5A2576000-memory.dmp

Filesize
472KB

Download
memory/4968-151-0x000001D589C10000-0x000001D589C4C000-memory.dmp

Filesize
240KB

Download
memory/4968-132-0x000001D589B90000-0x000001D589BB2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads