f9146f9aba0cb64d2e5999bb7275fe0be8344d9bba48b4efbb2f7a54ec49880c

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-04-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sfk.cmd
Size

3KB
MD5

ca33268105776e6444b50c3fa41d6956
SHA1

d1e6c5a5e54136a5911c6d75edda0821d759937d
SHA256

f9146f9aba0cb64d2e5999bb7275fe0be8344d9bba48b4efbb2f7a54ec49880c
SHA512

e87812f232d19a8d4980b6b47d01244e1a6d6a4f9b6b2b84dabda7a2b0f461c83bd92838f42a65cfa73538db4a6d7dd0028aed265c41340ef2c4f8b4d66630d8

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	powershell.exe
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 956	932	cmd.exe	28
PID 932 wrote to memory of 956	932	cmd.exe	28
PID 932 wrote to memory of 956	932	cmd.exe	28
PID 932 wrote to memory of 1652	932	cmd.exe	29
PID 932 wrote to memory of 1652	932	cmd.exe	29
PID 932 wrote to memory of 1652	932	cmd.exe	29
PID 932 wrote to memory of 1732	932	cmd.exe	30
PID 932 wrote to memory of 1732	932	cmd.exe	30
PID 932 wrote to memory of 1732	932	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\sfk.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\20657261529811'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Remove-MpPreference -exclusionPath "C:\Users\Admin\AppData\Local\Temp\20657261529811"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c1ad117d8128f054665a0cfe470a72a5

SHA1
e0ac726e4d446aab74a6cf8839f0022b49322d54

SHA256
cb19d2dcae16b750040dd857a358c3267d8e97a90956c084fa1156a6ac4e1afa

SHA512
26d1b83d1c2fa550f07ede293e58f62dc6bfe40877303a1a0b561f3391c5db02bb5f8702789fb4d9872fc4f02267259ff411f4963872bca788ab5d43149469cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KD0YRBFMM3DHRAYKWJVQ.temp

Filesize
7KB

MD5
c1ad117d8128f054665a0cfe470a72a5

SHA1
e0ac726e4d446aab74a6cf8839f0022b49322d54

SHA256
cb19d2dcae16b750040dd857a358c3267d8e97a90956c084fa1156a6ac4e1afa

SHA512
26d1b83d1c2fa550f07ede293e58f62dc6bfe40877303a1a0b561f3391c5db02bb5f8702789fb4d9872fc4f02267259ff411f4963872bca788ab5d43149469cf

Download Submit
memory/1652-61-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1652-58-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/1652-62-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1652-63-0x000000000282B000-0x0000000002862000-memory.dmp

Filesize
220KB

Download
memory/1652-60-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1652-59-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1732-70-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1732-69-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1732-71-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/1732-72-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/1732-74-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/1732-73-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/1732-75-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download