03756119185c012ae7a36f165a5f0236dbadca1a0314ba3fbeab826565dbd848

Analysis

max time kernel
55s
max time network
71s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
21/03/2023, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sfk.cmd
Size

3KB
MD5

c8a9a54268e70aeb7fe228ae95b2ecdc
SHA1

ca51405c2298d2d1a3e448002d368887ebc67b2a
SHA256

03756119185c012ae7a36f165a5f0236dbadca1a0314ba3fbeab826565dbd848
SHA512

18d5253f5ee486eddbcc1dffcf169aa25be35c04cb60993aaac7ae18a9fb14032d3bf4121d971703bb620ab138db63e21c8102cc37b6872756deb2901308b5a7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	powershell.exe
Token: SeSecurityPrivilege	4900	powershell.exe
Token: SeTakeOwnershipPrivilege	4900	powershell.exe
Token: SeLoadDriverPrivilege	4900	powershell.exe
Token: SeSystemProfilePrivilege	4900	powershell.exe
Token: SeSystemtimePrivilege	4900	powershell.exe
Token: SeProfSingleProcessPrivilege	4900	powershell.exe
Token: SeIncBasePriorityPrivilege	4900	powershell.exe
Token: SeCreatePagefilePrivilege	4900	powershell.exe
Token: SeBackupPrivilege	4900	powershell.exe
Token: SeRestorePrivilege	4900	powershell.exe
Token: SeShutdownPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	powershell.exe
Token: SeRemoteShutdownPrivilege	4900	powershell.exe
Token: SeUndockPrivilege	4900	powershell.exe
Token: SeManageVolumePrivilege	4900	powershell.exe
Token: 33	4900	powershell.exe
Token: 34	4900	powershell.exe
Token: 35	4900	powershell.exe
Token: 36	4900	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe
Token: SeSystemtimePrivilege	4100	powershell.exe
Token: SeProfSingleProcessPrivilege	4100	powershell.exe
Token: SeIncBasePriorityPrivilege	4100	powershell.exe
Token: SeCreatePagefilePrivilege	4100	powershell.exe
Token: SeBackupPrivilege	4100	powershell.exe
Token: SeRestorePrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeSystemEnvironmentPrivilege	4100	powershell.exe
Token: SeRemoteShutdownPrivilege	4100	powershell.exe
Token: SeUndockPrivilege	4100	powershell.exe
Token: SeManageVolumePrivilege	4100	powershell.exe
Token: 33	4100	powershell.exe
Token: 34	4100	powershell.exe
Token: 35	4100	powershell.exe
Token: 36	4100	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1792	1436	cmd.exe	67
PID 1436 wrote to memory of 1792	1436	cmd.exe	67
PID 1436 wrote to memory of 4900	1436	cmd.exe	68
PID 1436 wrote to memory of 4900	1436	cmd.exe	68
PID 1436 wrote to memory of 4100	1436	cmd.exe	70
PID 1436 wrote to memory of 4100	1436	cmd.exe	70

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sfk.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\23591658422471'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Remove-MpPreference -exclusionPath "C:\Users\Admin\AppData\Local\Temp\23591658422471"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16e530656c58fa203f56288f78af3421

SHA1
c03d9290f672930e0b17dca3ab746a9b89a00630

SHA256
2b2b8dfaa8e252e7ee7cbcc6155a97fbc2d19619d137a49f67465d0312d95360

SHA512
9967d15a1623a91bd539233670c1854137077f0574c8dc6bb86393aa6f4528b6d75bd1c9d3ce133ba6a49fca4f6d0d0df7b9a622031e6e832d0edf482c669e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qalfty2r.c41.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4100-220-0x00000201687D0000-0x00000201687E0000-memory.dmp

Filesize
64KB

Download
memory/4100-186-0x00000201687D0000-0x00000201687E0000-memory.dmp

Filesize
64KB

Download
memory/4100-185-0x00000201687D0000-0x00000201687E0000-memory.dmp

Filesize
64KB

Download
memory/4900-130-0x0000024EB1190000-0x0000024EB11A0000-memory.dmp

Filesize
64KB

Download
memory/4900-134-0x0000024EB1E60000-0x0000024EB1ED6000-memory.dmp

Filesize
472KB

Download
memory/4900-147-0x0000024EB1FE0000-0x0000024EB202A000-memory.dmp

Filesize
296KB

Download
memory/4900-165-0x0000024EB1190000-0x0000024EB11A0000-memory.dmp

Filesize
64KB

Download
memory/4900-170-0x0000024EB1E00000-0x0000024EB1E1E000-memory.dmp

Filesize
120KB

Download
memory/4900-131-0x0000024EB1CD0000-0x0000024EB1DD2000-memory.dmp

Filesize
1.0MB

Download
memory/4900-126-0x0000024E98BC0000-0x0000024E98BD0000-memory.dmp

Filesize
64KB

Download
memory/4900-129-0x0000024EB1190000-0x0000024EB11A0000-memory.dmp

Filesize
64KB

Download
memory/4900-128-0x0000024EB10F0000-0x0000024EB1112000-memory.dmp

Filesize
136KB

Download
memory/4900-125-0x0000024EB11A0000-0x0000024EB1222000-memory.dmp

Filesize
520KB

Download