f9146f9aba0cb64d2e5999bb7275fe0be8344d9bba48b4efbb2f7a54ec49880c

Resubmissions

22/04/2023, 15:07

230422-shhkqsfd62 8

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/04/2023, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sfk.cmd
Size

3KB
MD5

ca33268105776e6444b50c3fa41d6956
SHA1

d1e6c5a5e54136a5911c6d75edda0821d759937d
SHA256

f9146f9aba0cb64d2e5999bb7275fe0be8344d9bba48b4efbb2f7a54ec49880c
SHA512

e87812f232d19a8d4980b6b47d01244e1a6d6a4f9b6b2b84dabda7a2b0f461c83bd92838f42a65cfa73538db4a6d7dd0028aed265c41340ef2c4f8b4d66630d8

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	powershell.exe
1048	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1900	1944	cmd.exe	27
PID 1944 wrote to memory of 1900	1944	cmd.exe	27
PID 1944 wrote to memory of 1900	1944	cmd.exe	27
PID 1944 wrote to memory of 1692	1944	cmd.exe	28
PID 1944 wrote to memory of 1692	1944	cmd.exe	28
PID 1944 wrote to memory of 1692	1944	cmd.exe	28
PID 1944 wrote to memory of 1048	1944	cmd.exe	29
PID 1944 wrote to memory of 1048	1944	cmd.exe	29
PID 1944 wrote to memory of 1048	1944	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sfk.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\96632802616046'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Remove-MpPreference -exclusionPath "C:\Users\Admin\AppData\Local\Temp\96632802616046"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0d5e3031d0e5dfda4d1841747314c300

SHA1
6b388b2eb4df1e88563fb0f7fa08da486ee6eb29

SHA256
d179f35dfce0515de3818fa4ee3444711649b4fe623e550a86cfb62cd79b939f

SHA512
e6f81161556bacfe9950d84e389bb9c70e57097565aa6fadde0edc4935f427fb79e8a2ff046ff90cdafcdfe73286a362a2879806854ca7d370840d056980d224

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HQOEKH53U67HMU6QRS8Z.temp

Filesize
7KB

MD5
0d5e3031d0e5dfda4d1841747314c300

SHA1
6b388b2eb4df1e88563fb0f7fa08da486ee6eb29

SHA256
d179f35dfce0515de3818fa4ee3444711649b4fe623e550a86cfb62cd79b939f

SHA512
e6f81161556bacfe9950d84e389bb9c70e57097565aa6fadde0edc4935f427fb79e8a2ff046ff90cdafcdfe73286a362a2879806854ca7d370840d056980d224

Download Submit
memory/1048-70-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1048-69-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1048-71-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1048-72-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1048-73-0x000000000277B000-0x00000000027B2000-memory.dmp

Filesize
220KB

Download
memory/1692-61-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1692-62-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1692-63-0x00000000026CB000-0x0000000002702000-memory.dmp

Filesize
220KB

Download
memory/1692-60-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1692-59-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1692-58-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download