2020bc5509cb053c4bdcee2180c99c5d29c6b7c52aabdc8da6393fff6d6d9dd9

General

Target

DownloadItemJsonFilesManually.bat
Size

493B
MD5

6699303a3cba8014c07862eeef9c1183
SHA1

35e14021eff2de0d81cc0d2e533cdfbafeb55c51
SHA256

bf588bb4541dd2bbac94f7c276b5becbefd9ed9d3fa249502ee97795a41300f7
SHA512

4ea015f9f59557159341dc211d6bf3da0a7ac7c9a66f62c6e680604b1e2811f48f3f0637ccacadee8c5322a5c0f8032c2eae197e6ab64612b4a8bf5d5aa1f59b

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4156	powershell.exe
7	2300	powershell.exe
11	3232	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4156	3172	cmd.exe	67
PID 3172 wrote to memory of 4156	3172	cmd.exe	67
PID 3172 wrote to memory of 2300	3172	cmd.exe	68
PID 3172 wrote to memory of 2300	3172	cmd.exe	68
PID 3172 wrote to memory of 3232	3172	cmd.exe	69
PID 3172 wrote to memory of 3232	3172	cmd.exe	69

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DownloadItemJsonFilesManually.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if(!(Test-Path -Path 'Temp')) { New-Item -ItemType Directory -Path 'Temp' } ; Invoke-WebRequest https://raw.githubusercontent.com/Triky313/ao-bin-dumps/main/formatted/items.json -OutFile ItemList.json"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/Triky313/ao-bin-dumps/main/items.json -OutFile Items.json"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/Triky313/ao-bin-dumps/main/mobs.json -OutFile Temp\mobs.json"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f290ff33102bc945b87b6871ce2f7cc4

SHA1
45f1664693c3d7c3b483897e69be3dac5618dd1a

SHA256
3f889f11dfa53455f75f8bad373308ba35e5016ede65b9785626322d131727a6

SHA512
f7f6e6ed9a03a5c31a904438736951698a335d508802cd9b0386e69df41671cdb9650d67d1d59aca30b3a4908d676dfb37bc7bff41f8796bef671152a5d6f57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12f47b2e222c3701a292b1241c4c67e6

SHA1
ebf36b9dec6b1ba1bfdc1cdc6e0d85f740686116

SHA256
2c4a41767c580abb8d08201b5b8d529d164da0fac21b80940b9bcb5237af99bf

SHA512
7c8ab9b7892cf9234a757ccb2b684988a37a97e7f2aadd0238f3439bbf11696a51c1d5e397a845023e3562b2a2a3e6ee274c1446b4bdd31958c8a466d8f6bba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
413b788ec3983bde5ae178bdf6cccd31

SHA1
b4c664aba52f88ade404b8b60fbcecdf0beca776

SHA256
6efc1b693ccbf7cddf99edb8af94881f58b19257901d0cc050bb259dc973b745

SHA512
051a7dfc3078eea0e6a00aba44b68e28136ce78a6102626292927f3f052bf2f481fd30c586239923d569315af94aeada9ccc7d3fcb8efe78eac1a4a8033c5112

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsylifgr.ozu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2300-178-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/2300-200-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/2300-199-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/2300-198-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/2300-194-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/2300-179-0x0000029A56EA0000-0x0000029A56EB0000-memory.dmp

Filesize
64KB

Download
memory/3232-210-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/3232-209-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/3232-236-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/3232-235-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/3232-234-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/3232-230-0x0000018CDEC10000-0x0000018CDEC20000-memory.dmp

Filesize
64KB

Download
memory/4156-136-0x000002167AE50000-0x000002167AEC6000-memory.dmp

Filesize
472KB

Download
memory/4156-155-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download
memory/4156-126-0x000002167AAA0000-0x000002167AB22000-memory.dmp

Filesize
520KB

Download
memory/4156-161-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download
memory/4156-131-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download
memory/4156-158-0x00000216789F0000-0x0000021678A04000-memory.dmp

Filesize
80KB

Download
memory/4156-130-0x000002167AD40000-0x000002167AE42000-memory.dmp

Filesize
1.0MB

Download
memory/4156-127-0x0000021678420000-0x0000021678430000-memory.dmp

Filesize
64KB

Download
memory/4156-160-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download
memory/4156-128-0x0000021678990000-0x00000216789B2000-memory.dmp

Filesize
136KB

Download
memory/4156-129-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download
memory/4156-162-0x0000021678AC0000-0x0000021678AD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing