d331b014de598cac5a9d01b1c09110c7d74c7c048c4d205ea788e28ea9e44ad3

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/01/2023, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1337SKINCHANGER_AUTO UPDATER.bat
Size

5KB
MD5

02f6efbb4849349ca77f07c0ce7bdbc6
SHA1

8b0fae03051d5be54bfba38799a61c32650dd70f
SHA256

d331b014de598cac5a9d01b1c09110c7d74c7c048c4d205ea788e28ea9e44ad3
SHA512

bb139fcc4681ceb65b46dba350225d521533e9efb0f317174bd012be5c4d432837fd4a4df51147073179e56d64e46f89863d9d92d6ac0cf10d488344bac93431
SSDEEP

96:JrKauGplCGllAF8GrGCseFg5GoYXG0FCYrvHESiSCGFFYYrIGFgwlGi3GuGqWgGs:eraYExm6wBrxn0YUVEZ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	powershell.exe
1340	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1256	112	cmd.exe	28
PID 112 wrote to memory of 1256	112	cmd.exe	28
PID 112 wrote to memory of 1256	112	cmd.exe	28
PID 1256 wrote to memory of 876	1256	cmd.exe	30
PID 1256 wrote to memory of 876	1256	cmd.exe	30
PID 1256 wrote to memory of 876	1256	cmd.exe	30
PID 1256 wrote to memory of 1340	1256	cmd.exe	31
PID 1256 wrote to memory of 1340	1256	cmd.exe	31
PID 1256 wrote to memory of 1340	1256	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1337SKINCHANGER_AUTO UPDATER.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1337SKINCHANGER_AUTO UPDATER.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('DOWNLOADING LATEST VERSION OF 1337SKINCHANGER FOR THE CURRENT LEAGUE OF LEGENDS PATCH FROM OUR SERVER.', '1337SKINCHANGER AUTOUPDATE', 'OK', [System.Windows.Forms.MessageBoxIcon]::Information);}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://1337SKINCHANGER.com/AUTOUPDATE/skinchanger_downloader.bat' -OutFile skinchanger_downloader.bat"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b272ff65827c0577b782e0b00ada3ff8

SHA1
b2b022a47582e21a19ada7f966ecf50456fb9319

SHA256
b7ce47ef86a06ad0075196eae80d9954b1b884926860569ff250d7693a9de41b

SHA512
b6f59930fc945e58370df66a6caca3fa04dcea16b1eb2c4d3d70a99c80b0ce72846cd0cc8e106dc4e523504f221f87fb3a0485692ebdc2a0eb32fc161b524a44

Download Submit
memory/876-62-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/876-57-0x000007FEF28F0000-0x000007FEF3313000-memory.dmp

Filesize
10.1MB

Download
memory/876-58-0x000007FEF1D90000-0x000007FEF28ED000-memory.dmp

Filesize
11.4MB

Download
memory/876-59-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/876-60-0x000007FEED5E0000-0x000007FEEE676000-memory.dmp

Filesize
16.6MB

Download
memory/876-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/876-61-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/876-63-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1340-67-0x000007FEF3290000-0x000007FEF3CB3000-memory.dmp

Filesize
10.1MB

Download
memory/1340-68-0x000007FEF2730000-0x000007FEF328D000-memory.dmp

Filesize
11.4MB

Download
memory/1340-69-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1340-71-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/1340-70-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download