b7969504a01437385f5865aef152e0b32b2a1344620ec08aa98c1bac580eff4b

Analysis

max time kernel
86s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ESPOTIFY SIN PUBLICIDAD/install.bat
Size

4KB
MD5

1e2f0cee168e9efbf71954a91c155356
SHA1

1da5b5d28d83b51ee58895b48488a22d1dc49897
SHA256

4cd8cc1a84521644561b76338aabcf7c1d7681564b0415b0a548b6a8e9700a73
SHA512

593cbc366c79e7f2b0dda7260363305e9cd112f665a7375998b34f9a8792f9fb2313e36b17b587010f7d29b24221da756dee1a84f65628e69037a40952d52c64
SSDEEP

96:qGQ9HHSDNcCMOQMYAMlVu7YOnMkycpy1Xq0RHqs0V:qGQ9nRY3YHXuMOMkycpy1XBqs0V

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1904	3968	cmd.exe	86
PID 3968 wrote to memory of 1904	3968	cmd.exe	86
PID 3968 wrote to memory of 2092	3968	cmd.exe	87
PID 3968 wrote to memory of 2092	3968	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\system32\findstr.exe
  findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\install.bat"
  2⤵
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -Command "& 'C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\ps.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPOTIFY SIN PUBLICIDAD\ps.ps1

Filesize
4KB

MD5
4d70184c5dadd0bb980a13aedab4988b

SHA1
a8e17c70cba0911ca56b8f75f568082eb2849f9b

SHA256
259ec34b25f4aa29f33322702b3d3a678b7f1109f03ba3b04e973d0c3092a49a

SHA512
4475a858928fecbce18dbeb5463222020ab0848109e29afad9e0c72beb41941a9b60f1d8fdda073cd945846e0530ee9006c927bcd7af1e9d96828f18887f315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woy3kdrt.ze2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2092-134-0x000001E31F270000-0x000001E31F280000-memory.dmp

Filesize
64KB

Download
memory/2092-140-0x000001E31F210000-0x000001E31F232000-memory.dmp

Filesize
136KB

Download
memory/2092-141-0x000001E31F270000-0x000001E31F280000-memory.dmp

Filesize
64KB

Download
memory/2092-147-0x000001E31F910000-0x000001E31F926000-memory.dmp

Filesize
88KB

Download
memory/2092-148-0x000001E31F5C0000-0x000001E31F5CA000-memory.dmp

Filesize
40KB

Download
memory/2092-149-0x000001E31F9A0000-0x000001E31F9C6000-memory.dmp

Filesize
152KB

Download
memory/2092-150-0x000001E31F270000-0x000001E31F280000-memory.dmp

Filesize
64KB

Download
memory/2092-153-0x000001E31F280000-0x000001E31F49C000-memory.dmp

Filesize
2.1MB

Download