5dfa7816c521fa59c1e558ca48e39632257afa88b97b901160e2ff97ad63e681

Analysis

max time kernel
122s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64 beta/dependencies/2024-1-12/auth..bat
Size

6KB
MD5

8825cf897e698ebbdb8c707bb39d73ca
SHA1

dcece549ce6ed0b24ecc1faf80280c225bdcccae
SHA256

b332d0f81de5a8eced6109033f05192e2aa5ca3ed0a523367428813924a9a28d
SHA512

e3c63dda17128929108ff5492364b4d2df8126f2a8c17d7384ba9f7b0651aec72c11681dd7196f2eef7d693b9b3165b96fc05c98afc40fab9252ef2c7a26e3f9
SSDEEP

192:sYHAivgiRwe5f11ATNLCAtMT7/4+tGs1PP/uQz8tz1hNn:8i4iRwe5f11ATNLCAtMT7/4+tGs1PP/M

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3016	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
2168	timeout.exe
2036	timeout.exe
1580	timeout.exe
1560	timeout.exe
2028	timeout.exe
1344	timeout.exe
2016	timeout.exe
320	timeout.exe
1624	timeout.exe
1520	timeout.exe
2408	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1156	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1868	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3020	systeminfo.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1992	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2824	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	powershell.exe
2344	powershell.exe
2344	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1156	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2344	1176	cmd.exe	29
PID 1176 wrote to memory of 2344	1176	cmd.exe	29
PID 1176 wrote to memory of 2344	1176	cmd.exe	29
PID 2344 wrote to memory of 2780	2344	powershell.exe	30
PID 2344 wrote to memory of 2780	2344	powershell.exe	30
PID 2344 wrote to memory of 2780	2344	powershell.exe	30
PID 2780 wrote to memory of 2932	2780	cmd.exe	32
PID 2780 wrote to memory of 2932	2780	cmd.exe	32
PID 2780 wrote to memory of 2932	2780	cmd.exe	32
PID 2932 wrote to memory of 2824	2932	cmd.exe	33
PID 2932 wrote to memory of 2824	2932	cmd.exe	33
PID 2932 wrote to memory of 2824	2932	cmd.exe	33
PID 2932 wrote to memory of 2708	2932	cmd.exe	34
PID 2932 wrote to memory of 2708	2932	cmd.exe	34
PID 2932 wrote to memory of 2708	2932	cmd.exe	34
PID 2780 wrote to memory of 2848	2780	cmd.exe	35
PID 2780 wrote to memory of 2848	2780	cmd.exe	35
PID 2780 wrote to memory of 2848	2780	cmd.exe	35
PID 2848 wrote to memory of 2736	2848	cmd.exe	36
PID 2848 wrote to memory of 2736	2848	cmd.exe	36
PID 2848 wrote to memory of 2736	2848	cmd.exe	36
PID 2780 wrote to memory of 3016	2780	cmd.exe	37
PID 2780 wrote to memory of 3016	2780	cmd.exe	37
PID 2780 wrote to memory of 3016	2780	cmd.exe	37
PID 2780 wrote to memory of 2168	2780	cmd.exe	38
PID 2780 wrote to memory of 2168	2780	cmd.exe	38
PID 2780 wrote to memory of 2168	2780	cmd.exe	38
PID 2780 wrote to memory of 3020	2780	cmd.exe	39
PID 2780 wrote to memory of 3020	2780	cmd.exe	39
PID 2780 wrote to memory of 3020	2780	cmd.exe	39
PID 2780 wrote to memory of 1156	2780	cmd.exe	42
PID 2780 wrote to memory of 1156	2780	cmd.exe	42
PID 2780 wrote to memory of 1156	2780	cmd.exe	42
PID 2780 wrote to memory of 872	2780	cmd.exe	43
PID 2780 wrote to memory of 872	2780	cmd.exe	43
PID 2780 wrote to memory of 872	2780	cmd.exe	43
PID 872 wrote to memory of 1472	872	net.exe	44
PID 872 wrote to memory of 1472	872	net.exe	44
PID 872 wrote to memory of 1472	872	net.exe	44
PID 2780 wrote to memory of 1992	2780	cmd.exe	45
PID 2780 wrote to memory of 1992	2780	cmd.exe	45
PID 2780 wrote to memory of 1992	2780	cmd.exe	45
PID 2780 wrote to memory of 1868	2780	cmd.exe	46
PID 2780 wrote to memory of 1868	2780	cmd.exe	46
PID 2780 wrote to memory of 1868	2780	cmd.exe	46
PID 2780 wrote to memory of 2028	2780	cmd.exe	47
PID 2780 wrote to memory of 2028	2780	cmd.exe	47
PID 2780 wrote to memory of 2028	2780	cmd.exe	47
PID 2780 wrote to memory of 2036	2780	cmd.exe	48
PID 2780 wrote to memory of 2036	2780	cmd.exe	48
PID 2780 wrote to memory of 2036	2780	cmd.exe	48
PID 2780 wrote to memory of 1580	2780	cmd.exe	49
PID 2780 wrote to memory of 1580	2780	cmd.exe	49
PID 2780 wrote to memory of 1580	2780	cmd.exe	49
PID 2780 wrote to memory of 1344	2780	cmd.exe	50
PID 2780 wrote to memory of 1344	2780	cmd.exe	50
PID 2780 wrote to memory of 1344	2780	cmd.exe	50
PID 2780 wrote to memory of 2016	2780	cmd.exe	53
PID 2780 wrote to memory of 2016	2780	cmd.exe	53
PID 2780 wrote to memory of 2016	2780	cmd.exe	53
PID 2780 wrote to memory of 1540	2780	cmd.exe	54
PID 2780 wrote to memory of 1540	2780	cmd.exe	54
PID 2780 wrote to memory of 1540	2780	cmd.exe	54
PID 2780 wrote to memory of 320	2780	cmd.exe	55

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3016	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x64 beta\dependencies\2024-1-12\auth..bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\x64 beta\dependencies\2024-1-12\auth..bat"' am_admin
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x64 beta\dependencies\2024-1-12\auth..bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 JUBFGPHD | findstr [
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\system32\PING.EXE
        
        ping -4 -n 1 JUBFGPHD
        5⤵
        Runs ping.exe
        
        PID:2824
    - - C:\Windows\system32\findstr.exe
        
        findstr [
        5⤵
        
        PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Invoke-RestMethod api.ipify.org
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
  - - C:\Windows\system32\attrib.exe
      attrib "C:\ProgramData\s.exe" +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3016
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2168
  - - C:\Windows\system32\systeminfo.exe
      SystemInfo
      4⤵
      Gathers system information
      PID:3020
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1156
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1472
  - - C:\Windows\system32\reg.exe
      reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      4⤵
      Modifies registry key
      PID:1992
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1868
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2028
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2036
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1580
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1344
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
      4⤵
      PID:1540
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:320
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1624
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1560
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
      4⤵
      PID:2316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
      4⤵
      PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
      4⤵
      PID:2372
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
91d3d40888f3e4281186521c0a155695

SHA1
0abbf71250b9661a28b82f584eac92507f6bdd5c

SHA256
c11d5ba0feca102c56bb93c88cb4b0945fd383e7674e01e7d49b116d5e49472f

SHA512
151579f3d06540299d3896a967ec2e55401c751b79b244aa849cb2e5764d664f991ab9681132db5d2af9c7a34ac331faa7446e00c69247ceb02956c038563ffd

Download Submit
memory/2344-7-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2344-6-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-8-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2344-4-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2344-9-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/2344-10-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-11-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-5-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2736-17-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download
memory/2736-20-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2736-18-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-19-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2736-21-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2736-22-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-23-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2736-24-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2736-25-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

Filesize
9.6MB

Download