dc043b9678055fdeb33ff21d665d9db1796991348170304fbce7434b9a941b9a

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passwords.bat
Size

1KB
MD5

6410947bed3619d3ab51a14f27f06109
SHA1

ad74beebe7aa219c6f3f62b011f07594345674d4
SHA256

dc043b9678055fdeb33ff21d665d9db1796991348170304fbce7434b9a941b9a
SHA512

9db35d7d7c910b181d278438595d5c8c7661e15737975f57cd559dc911edb5efb7eaddf79b8d483983a3f423843aec8e7e1abaa7ca2db4586d57a87360d535d1

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4772	cscript.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3624	timeout.exe
2704	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3780	1016	cmd.exe	84
PID 1016 wrote to memory of 3780	1016	cmd.exe	84
PID 1016 wrote to memory of 4272	1016	cmd.exe	86
PID 1016 wrote to memory of 4272	1016	cmd.exe	86
PID 3780 wrote to memory of 3624	3780	cmd.exe	87
PID 3780 wrote to memory of 3624	3780	cmd.exe	87
PID 4272 wrote to memory of 3408	4272	powershell.exe	88
PID 4272 wrote to memory of 3408	4272	powershell.exe	88
PID 1016 wrote to memory of 4772	1016	cmd.exe	90
PID 1016 wrote to memory of 4772	1016	cmd.exe	90
PID 3408 wrote to memory of 2704	3408	cmd.exe	91
PID 3408 wrote to memory of 2704	3408	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\passwords.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\Desktop\send_passwords.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -windowstyle hidden -command "& {Start-Process cmd -ArgumentList '/c C:\Users\Admin\Desktop\send_passwords.bat' -Verb RunAs -WindowStyle Hidden}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\Desktop\send_passwords.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2704
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Users\Admin\Desktop\send_passwords.vbs
  2⤵
  - Blocklisted process makes network request
  PID:4772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckdxolvl.5nl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\send_passwords.bat

Filesize
342B

MD5
b2842aaf9c3b3c342dfb53762fc7dfaf

SHA1
184243f85e65bb815b725d06d6ac4c22ee30d287

SHA256
61a8096ea97010dfabd02f81e9ab7a5d8be3bce48f0504c37bf135eddcad159a

SHA512
b743faf4e817218c8fca8ba12b3c967a28aa9b293c8c8656900bbcbb585470b705d55451ac72d32f96b978a22ac41ad63405b8cdb4ca184c55ee49473bc5db0e

Download Submit
C:\Users\Admin\Desktop\send_passwords.vbs

Filesize
254B

MD5
5ab23e6fa91b9e2129a8afdf4d70c278

SHA1
c42b5b0d2c060d9c982334f14f6f8fc457f3f794

SHA256
717f61a824487d57ea76cc0e672f7a93612a153ef8fd9ff44fccaefd77610497

SHA512
34f205f79826fbf5794409904274b0b6b392e2d1d8f276c7335f3ec3f9a748ad4495dcdb4c6f0feacbc492411c187d47d17cb7720b42d66aa7d7b97161127a55

Download Submit
memory/4272-24-0x0000025F95A80000-0x0000025F95AA2000-memory.dmp

Filesize
136KB

Download
memory/4272-29-0x00007FF8C2900000-0x00007FF8C33C1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-30-0x0000025F95850000-0x0000025F95860000-memory.dmp

Filesize
64KB

Download
memory/4272-31-0x0000025F95850000-0x0000025F95860000-memory.dmp

Filesize
64KB

Download
memory/4272-32-0x0000025F95850000-0x0000025F95860000-memory.dmp

Filesize
64KB

Download
memory/4272-35-0x00007FF8C2900000-0x00007FF8C33C1000-memory.dmp

Filesize
10.8MB

Download