ffb7484dbd43f1a8de746604b64da32f8f408b8c76429cb8d36c0fe6c31d6438

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dependencies/2024-1-12/auth..bat
Size

6KB
MD5

8825cf897e698ebbdb8c707bb39d73ca
SHA1

dcece549ce6ed0b24ecc1faf80280c225bdcccae
SHA256

b332d0f81de5a8eced6109033f05192e2aa5ca3ed0a523367428813924a9a28d
SHA512

e3c63dda17128929108ff5492364b4d2df8126f2a8c17d7384ba9f7b0651aec72c11681dd7196f2eef7d693b9b3165b96fc05c98afc40fab9252ef2c7a26e3f9
SSDEEP

192:sYHAivgiRwe5f11ATNLCAtMT7/4+tGs1PP/uQz8tz1hNn:8i4iRwe5f11ATNLCAtMT7/4+tGs1PP/M

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2624 attrib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2624	attrib.exe

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1664	timeout.exe
2780	timeout.exe
2800	timeout.exe
1112	timeout.exe
2944	timeout.exe
2500	timeout.exe
2836	timeout.exe
2180	timeout.exe
1420	timeout.exe
1076	timeout.exe
1340	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2528 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2496 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2460 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1640 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2588 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2824 powershell.exe
2824 powershell.exe
2824 powershell.exe
2668 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2824 powershell.exe
Token: SeDebugPrivilege 2668 powershell.exe
Token: SeDebugPrivilege 2528 tasklist.exe

pid	process
2528	tasklist.exe

pid	process
2496	ipconfig.exe

pid	process
2460	systeminfo.exe

pid	process
1640	reg.exe

pid	process
2588	PING.EXE

pid	process
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2528	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2376 wrote to memory of 2824	2376	cmd.exe	powershell.exe
PID 2376 wrote to memory of 2824	2376	cmd.exe	powershell.exe
PID 2376 wrote to memory of 2824	2376	cmd.exe	powershell.exe
PID 2824 wrote to memory of 2072	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2072	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2072	2824	powershell.exe	cmd.exe
PID 2072 wrote to memory of 2600	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2600	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2600	2072	cmd.exe	cmd.exe
PID 2600 wrote to memory of 2588	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2588	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2588	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2664	2600	cmd.exe	findstr.exe
PID 2600 wrote to memory of 2664	2600	cmd.exe	findstr.exe
PID 2600 wrote to memory of 2664	2600	cmd.exe	findstr.exe
PID 2072 wrote to memory of 2700	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2700	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2700	2072	cmd.exe	cmd.exe
PID 2700 wrote to memory of 2668	2700	cmd.exe	powershell.exe
PID 2700 wrote to memory of 2668	2700	cmd.exe	powershell.exe
PID 2700 wrote to memory of 2668	2700	cmd.exe	powershell.exe
PID 2072 wrote to memory of 2624	2072	cmd.exe	attrib.exe
PID 2072 wrote to memory of 2624	2072	cmd.exe	attrib.exe
PID 2072 wrote to memory of 2624	2072	cmd.exe	attrib.exe
PID 2072 wrote to memory of 2500	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2500	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2500	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2460	2072	cmd.exe	systeminfo.exe
PID 2072 wrote to memory of 2460	2072	cmd.exe	systeminfo.exe
PID 2072 wrote to memory of 2460	2072	cmd.exe	systeminfo.exe
PID 2072 wrote to memory of 2528	2072	cmd.exe	tasklist.exe
PID 2072 wrote to memory of 2528	2072	cmd.exe	tasklist.exe
PID 2072 wrote to memory of 2528	2072	cmd.exe	tasklist.exe
PID 2072 wrote to memory of 856	2072	cmd.exe	net.exe
PID 2072 wrote to memory of 856	2072	cmd.exe	net.exe
PID 2072 wrote to memory of 856	2072	cmd.exe	net.exe
PID 856 wrote to memory of 1872	856	net.exe	net1.exe
PID 856 wrote to memory of 1872	856	net.exe	net1.exe
PID 856 wrote to memory of 1872	856	net.exe	net1.exe
PID 2072 wrote to memory of 1640	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 1640	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 1640	2072	cmd.exe	reg.exe
PID 2072 wrote to memory of 2496	2072	cmd.exe	ipconfig.exe
PID 2072 wrote to memory of 2496	2072	cmd.exe	ipconfig.exe
PID 2072 wrote to memory of 2496	2072	cmd.exe	ipconfig.exe
PID 2072 wrote to memory of 1664	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 1664	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 1664	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 1340	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 1340	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 1340	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2780	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2780	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2780	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2836	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2836	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2836	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2800	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2800	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2800	2072	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2008	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2008	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2008	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2180	2072	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2624 attrib.exe

pid	process
2624	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas 'C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat' am_admin
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat" am_admin
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 SCFGBRBT | findstr [
4⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\PING.EXE
ping -4 -n 1 SCFGBRBT
5⤵
- Runs ping.exe
PID:2588

C:\Windows\system32\findstr.exe
findstr [
5⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
4⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\attrib.exe
attrib "C:\ProgramData\s.exe" +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2624

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2500

C:\Windows\system32\systeminfo.exe
SystemInfo
4⤵
- Gathers system information
PID:2460

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\net.exe
net user
4⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:1872

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4⤵
- Modifies registry key
PID:1640

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2496

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1664

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1340

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2780

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2836

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
4⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2180

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1420

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1076

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
4⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
4⤵
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
4⤵
PID:2144

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6b03e54313eceb5bd91629e5b74740c

SHA1
e78ef72e2e0c13ce30de6dbdf6bf0ea4ed65af13

SHA256
fccdf715f512a876fa02e54527bb8dddd00ec06be2e58311e76060ecf7c4b3e5

SHA512
f5d98ea4eb708234804495acf2cdd62ab4eeecac7a9abe989f051959cc8483317375be712cdbe03c7112868cb817d87bdc88d63dd1724ce8a1e4af3e52e952d4

Download Submit
memory/2668-18-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2668-24-0x000000000295B000-0x00000000029C2000-memory.dmp

Filesize
412KB

Download
memory/2668-25-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-26-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-23-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2668-22-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2668-21-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2668-19-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2668-20-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-8-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-12-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-11-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/2824-10-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/2824-9-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/2824-4-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2824-5-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/2824-6-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download