Overview

overview

10

Static

static

1

PMOy4QqKcU...PF.zip

windows7-x64

1

PMOy4QqKcU...PF.zip

windows10-2004-x64

1

1.bat

windows7-x64

1

1.bat

windows10-2004-x64

1

detonator.cmd

windows7-x64

4

detonator.cmd

windows10-2004-x64

7

dqjg.ps1

windows7-x64

1

dqjg.ps1

windows10-2004-x64

1

dqjg.vbs

windows7-x64

1

dqjg.vbs

windows10-2004-x64

3

th5rk551.uku.ps1

windows7-x64

1

th5rk551.uku.ps1

windows10-2004-x64

1

vuso.ps1

windows7-x64

1

vuso.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2023 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.bat

  • Size

    87B

  • MD5

    cdc83500ec30d3d435f4a5fca2fb9c99

  • SHA1

    418f2d8fe427cc1bcfffd66689325300737f7d07

  • SHA256

    12a6ad12fa23cc100d4a982746c5520f4de1cd7638de579e2040daf2ec2a2e2e

  • SHA512

    96b5560bbbfa9055f4e1208b46ee6b0c7486d6ecb4f311dd4724ed3b09c862002e10fc1dd6b892b4bfe47798713f055f053fed16bc45f834f94140550c3eb732

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Windows\system32\cmd.exe
      CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\dqjg\vuso.ps1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\dqjg\vuso.ps1"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjyjwfbv.rgq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3748-133-0x0000019AE8DE0000-0x0000019AE8DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3748-134-0x0000019AE8DE0000-0x0000019AE8DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3748-144-0x0000019AE8D70000-0x0000019AE8D92000-memory.dmp

    Filesize

    136KB

    Download