9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

Analysis

max time kernel
77s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2023, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.bat.exe
Size

442KB
MD5

04029e121a0cfa5991749937dd22a1d9
SHA1

f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256

9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512

6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
SSDEEP

6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2804	builder.bat.exe
2804	builder.bat.exe
1000	builder.bat.exe
1000	builder.bat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	builder.bat.exe
Token: SeDebugPrivilege	1000	builder.bat.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1000	2804	builder.bat.exe	92
PID 2804 wrote to memory of 1000	2804	builder.bat.exe	92

C:\Users\Admin\AppData\Local\Temp\builder.bat.exe
"C:\Users\Admin\AppData\Local\Temp\builder.bat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\builder.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekdpuayq.s4k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
36B

MD5
a8cb19df336a28dcacf62de72509fe30

SHA1
4ff4050e07a9ea04970bf8b4828be82213c237cc

SHA256
a55ae2ac4fd8e32804d1ecf86d006d47e29615b605ebda3af66288dd85a8d2e1

SHA512
25af8f128997873c68ae9650834669028d055c12fcd51574874ee78d36c43a1d757991059628417d85fbadc2e4dfc9f02472e46b6ba18bb18c754607b0e11696

Download Submit
memory/1000-163-0x000001CC22630000-0x000001CC22640000-memory.dmp

Filesize
64KB

Download
memory/1000-166-0x000001CC22630000-0x000001CC22640000-memory.dmp

Filesize
64KB

Download
memory/1000-164-0x000001CC22630000-0x000001CC22640000-memory.dmp

Filesize
64KB

Download
memory/2804-147-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download
memory/2804-148-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download
memory/2804-149-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download
memory/2804-150-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download
memory/2804-134-0x0000012FD0160000-0x0000012FD0182000-memory.dmp

Filesize
136KB

Download
memory/2804-146-0x0000012FD0740000-0x0000012FD07B6000-memory.dmp

Filesize
472KB

Download
memory/2804-145-0x0000012FD0320000-0x0000012FD0364000-memory.dmp

Filesize
272KB

Download
memory/2804-144-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download
memory/2804-143-0x0000012FB4220000-0x0000012FB4230000-memory.dmp

Filesize
64KB

Download