e56cdf915ce83055594e56eb3eb01874dce005e2ba160b6583e83b76842ab20e

Resubmissions

21/10/2023, 21:51

231021-1qpm1scc5y 1

21/10/2023, 21:45

231021-1mhqaseb47 1

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

byfronkiller (1).bat
Size

1KB
MD5

e7a181f2bae1fcf4e4d1d1df6dbdeca9
SHA1

d4ce48a478cbfe2e60d7ba0e44038da4ffd1ef18
SHA256

e56cdf915ce83055594e56eb3eb01874dce005e2ba160b6583e83b76842ab20e
SHA512

5de654adda0594304e38fea6561d7cc6b025613fc45ae33543637bbbf8ee10151ac50e583617fcb111c65699da12c99d54a81340718eb0319635faafaf79a351

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	powershell.exe
2116	powershell.exe
2852	powershell.exe
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3560	1340	cmd.exe	86
PID 1340 wrote to memory of 3560	1340	cmd.exe	86
PID 3560 wrote to memory of 640	3560	net.exe	87
PID 3560 wrote to memory of 640	3560	net.exe	87
PID 1340 wrote to memory of 2116	1340	cmd.exe	88
PID 1340 wrote to memory of 2116	1340	cmd.exe	88
PID 1340 wrote to memory of 1760	1340	cmd.exe	90
PID 1340 wrote to memory of 1760	1340	cmd.exe	90
PID 1340 wrote to memory of 4608	1340	cmd.exe	92
PID 1340 wrote to memory of 4608	1340	cmd.exe	92
PID 1340 wrote to memory of 2852	1340	cmd.exe	93
PID 1340 wrote to memory of 2852	1340	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\byfronkiller (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -ExecutionPolicy Bypass -Command "Get-AppxPackage -AllUsers *Roblox* | ForEach-Object {Remove-AppxPackage -Package $_.PackageFullName -AllUsers}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowAllTrustedApps" /d "1"
  2⤵
  PID:1760
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
  2⤵
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-AppxPackage -Path 'C:\Users\Admin\Downloads\ROBLOX_2023.1004.2034.0\AppxManifest.xml' -Register"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bfe4c3d80c571291d7e32d101f9a88ae

SHA1
134037fd80b3f975ce7eb80a3da6aabd3a41e833

SHA256
f2f2d68c67b42205df3d6909c268215b03254e4090fa83ec7b88b3af3d818587

SHA512
6e6f91cacc32252e90acf518f3583a59fa445be3b51ea4b809060789c12c2d1a35c89ac61bfd24f3bb49f27ee4a9224c9a7d57f5b8b832ddf649f232d014b765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oave11fe.anz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2116-18-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-5-0x000001F4A64B0000-0x000001F4A64D2000-memory.dmp

Filesize
136KB

Download
memory/2116-13-0x000001F4A6690000-0x000001F4A66A6000-memory.dmp

Filesize
88KB

Download
memory/2116-14-0x000001F4A6670000-0x000001F4A667A000-memory.dmp

Filesize
40KB

Download
memory/2116-15-0x000001F4BE820000-0x000001F4BE846000-memory.dmp

Filesize
152KB

Download
memory/2116-12-0x000001F4BE8B0000-0x000001F4BE8C0000-memory.dmp

Filesize
64KB

Download
memory/2116-10-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-11-0x000001F4BE8B0000-0x000001F4BE8C0000-memory.dmp

Filesize
64KB

Download
memory/2852-30-0x0000020BB65A0000-0x0000020BB65B0000-memory.dmp

Filesize
64KB

Download
memory/2852-31-0x0000020BB65A0000-0x0000020BB65B0000-memory.dmp

Filesize
64KB

Download
memory/2852-20-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/2852-33-0x0000020BB65A0000-0x0000020BB65B0000-memory.dmp

Filesize
64KB

Download
memory/2852-34-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/2852-35-0x0000020BB65A0000-0x0000020BB65B0000-memory.dmp

Filesize
64KB

Download
memory/2852-37-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download