b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.cmd
Size

1.5MB
MD5

9671f612c8c8998f16aa977acc60f77d
SHA1

f341be76e58bad00ff883005fce69f8afb3e9777
SHA256

b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e
SHA512

a6c76a972dcec037ce370b3796304ff8472f1d0949e8a443240a358ba491b92200833507f21a20f114cd63de4a4d9438d82fde4e8806af2393637f593d2bb608
SSDEEP

24576:zlctuz1t3GCb2Eg8SxmRgM1XzgG8Tnzh+AMgc2vQf/Md6itPQMsPNBgS04:Z5x2hTpRYM6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	AutoIt3.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
636	timeout.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe
Token: SeSecurityPrivilege	1416	WMIC.exe
Token: SeTakeOwnershipPrivilege	1416	WMIC.exe
Token: SeLoadDriverPrivilege	1416	WMIC.exe
Token: SeSystemProfilePrivilege	1416	WMIC.exe
Token: SeSystemtimePrivilege	1416	WMIC.exe
Token: SeProfSingleProcessPrivilege	1416	WMIC.exe
Token: SeIncBasePriorityPrivilege	1416	WMIC.exe
Token: SeCreatePagefilePrivilege	1416	WMIC.exe
Token: SeBackupPrivilege	1416	WMIC.exe
Token: SeRestorePrivilege	1416	WMIC.exe
Token: SeShutdownPrivilege	1416	WMIC.exe
Token: SeDebugPrivilege	1416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1416	WMIC.exe
Token: SeRemoteShutdownPrivilege	1416	WMIC.exe
Token: SeUndockPrivilege	1416	WMIC.exe
Token: SeManageVolumePrivilege	1416	WMIC.exe
Token: 33	1416	WMIC.exe
Token: 34	1416	WMIC.exe
Token: 35	1416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe
Token: SeSecurityPrivilege	1416	WMIC.exe
Token: SeTakeOwnershipPrivilege	1416	WMIC.exe
Token: SeLoadDriverPrivilege	1416	WMIC.exe
Token: SeSystemProfilePrivilege	1416	WMIC.exe
Token: SeSystemtimePrivilege	1416	WMIC.exe
Token: SeProfSingleProcessPrivilege	1416	WMIC.exe
Token: SeIncBasePriorityPrivilege	1416	WMIC.exe
Token: SeCreatePagefilePrivilege	1416	WMIC.exe
Token: SeBackupPrivilege	1416	WMIC.exe
Token: SeRestorePrivilege	1416	WMIC.exe
Token: SeShutdownPrivilege	1416	WMIC.exe
Token: SeDebugPrivilege	1416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1416	WMIC.exe
Token: SeRemoteShutdownPrivilege	1416	WMIC.exe
Token: SeUndockPrivilege	1416	WMIC.exe
Token: SeManageVolumePrivilege	1416	WMIC.exe
Token: 33	1416	WMIC.exe
Token: 34	1416	WMIC.exe
Token: 35	1416	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1800	AutoIt3.exe
1800	AutoIt3.exe
1800	AutoIt3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1800	AutoIt3.exe
1800	AutoIt3.exe
1800	AutoIt3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 916	884	cmd.exe	28
PID 884 wrote to memory of 916	884	cmd.exe	28
PID 884 wrote to memory of 916	884	cmd.exe	28
PID 916 wrote to memory of 1552	916	cmd.exe	30
PID 916 wrote to memory of 1552	916	cmd.exe	30
PID 916 wrote to memory of 1552	916	cmd.exe	30
PID 916 wrote to memory of 960	916	cmd.exe	31
PID 916 wrote to memory of 960	916	cmd.exe	31
PID 916 wrote to memory of 960	916	cmd.exe	31
PID 916 wrote to memory of 1656	916	cmd.exe	32
PID 916 wrote to memory of 1656	916	cmd.exe	32
PID 916 wrote to memory of 1656	916	cmd.exe	32
PID 916 wrote to memory of 1416	916	cmd.exe	33
PID 916 wrote to memory of 1416	916	cmd.exe	33
PID 916 wrote to memory of 1416	916	cmd.exe	33
PID 916 wrote to memory of 636	916	cmd.exe	36
PID 916 wrote to memory of 636	916	cmd.exe	36
PID 916 wrote to memory of 636	916	cmd.exe	36
PID 916 wrote to memory of 564	916	cmd.exe	37
PID 916 wrote to memory of 564	916	cmd.exe	37
PID 916 wrote to memory of 564	916	cmd.exe	37
PID 916 wrote to memory of 1880	916	cmd.exe	38
PID 916 wrote to memory of 1880	916	cmd.exe	38
PID 916 wrote to memory of 1880	916	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\more.com
    more +5 C:\Users\Admin\AppData\Local\Temp\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.cmd
    3⤵
    PID:1552
- - C:\Windows\system32\certutil.exe
    certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe"
    3⤵
    PID:960
- - C:\Windows\system32\certutil.exe
    certutil -decode -f C:\Users\Admin\AppData\Local\Temp\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.cmd "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\QGCU\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.a3x"
    3⤵
    PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process call create '"C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\QGCU\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:636
- - C:\Windows\system32\xcopy.exe
    xcopy C:\Users\Admin\AppData\Roaming\Au3toCmd\*.* C:\Users\Admin\AppData\Roaming\Au3toCmdTmp\ /S
    3⤵
    PID:564
- - C:\Windows\system32\xcopy.exe
    xcopy C:\Users\Admin\AppData\Roaming\Au3toCmdTmp\*.* C:\Users\Admin\AppData\Roaming\Au3toCmd\ /S /Y
    3⤵
    PID:1880

C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe
"C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\QGCU\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.a3x" ""
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~

Filesize
1.6MB

MD5
75da08bdd8607eedf5cf990719005bf9

SHA1
a951dc742c1305e0861788de624e5023f17ff9b0

SHA256
51ddae76dd716b918a8ff64620c957b3151906cd853846707508f40bf2cd6291

SHA512
cbab23c97e6424f2c35033a4fcbc01e7593ba5ed2281668e5579d9b77469669862bec0b9c3bde9245a849e771ead2f7a95f3b87d1ca60a1b64aa1e54c29319d8

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\a3x\QGCU\b7012c6d4bf861a0135a80044e2f5b993f9a4528a901b774eebc710e3c56942e.a3x

Filesize
239KB

MD5
b6e47288d35a275a93808335ed50cd48

SHA1
c2772f16a185e34adeab3400a71250eff19406d4

SHA256
e2d1717e79215f2e8b365f5b0646a53d9d9e076269eeefe52e9032d3342c53d3

SHA512
543bcf65bccb1d2336dc15170fcac29f8269a85d72ab04d42f7c92d6c744e9a25eaf4daf43fecf08fba1eacf3b7becc8b1939e6274e6253240ad28cd2c92196c

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Roaming\Au3toCmd\exe\v3.3.16.1_20220920\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/960-57-0x00000000FFFC1000-0x00000000FFFC3000-memory.dmp

Filesize
8KB

Download
memory/1656-60-0x00000000FFCA1000-0x00000000FFCA3000-memory.dmp

Filesize
8KB

Download
memory/1800-64-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download