672e4954da1ad7dfd19cacc1f41ecf3e9ab4e1d45d8b095f5b23d3bfe568532a

General

Target

off.bat
Size

287B
MD5

03889252d52ac087c568af4986b50dda
SHA1

ea5b819dcf06110180301911bb41ab91c7d29dd6
SHA256

672e4954da1ad7dfd19cacc1f41ecf3e9ab4e1d45d8b095f5b23d3bfe568532a
SHA512

c8ee7670b0ddc3ed1ba549956dbd411ec21518db49729215b0b6acab1c1cc03ff4d7f053a21afe032c770c75e69ff92175d7b2b623d81d5c2318567256d006b4

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3796	powershell.exe
3796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3796	1900	cmd.exe	80
PID 1900 wrote to memory of 3796	1900	cmd.exe	80
PID 3796 wrote to memory of 348	3796	powershell.exe	81
PID 3796 wrote to memory of 348	3796	powershell.exe	81
PID 348 wrote to memory of 3772	348	csc.exe	83
PID 348 wrote to memory of 3772	348	csc.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\off.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -command $obj = Add-Type -MemberDefinition '[DllImport(""""user32.dll"""")] public static extern int SendMessage(int hWnd, int hMsg, int wParam, int lParam);' -Name fn -Namespace ns -PassThru; $obj::SendMessage(0xffff, 0x0112, 0xF170, 2)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hsmjn1v0\hsmjn1v0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55E0.tmp" "c:\Users\Admin\AppData\Local\Temp\hsmjn1v0\CSC38641137D7814893B5131B29D757690.TMP"
      4⤵
      PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES55E0.tmp

Filesize
1KB

MD5
22ff4026770dd72d75f409289641eecf

SHA1
1a2a2919b4679fe8db280ac7366da3b7b52fb9ad

SHA256
47eb63e2bd4f635b8ed88f3771ee67bf411e60af1b524e5a8cccc72192716262

SHA512
883b2e98d3b30a1b63994f6a742947017de91edd2e8a3378da2b3a7aa49aad6b10c2683bc7a03dacfb171c41afbc992333d5b9957dcc6dc2044a8faa9c2abdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wstrnnjy.ya2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsmjn1v0\hsmjn1v0.dll

Filesize
3KB

MD5
1b883d121685df5d3588504fe57cdc9f

SHA1
61936a39ff6787bc0386bfc4e2b463b710b31d03

SHA256
f833411b58a3ef1fcf8216907836a056f301d33c963ed2874eb59502db259d1c

SHA512
5f3fe4b3c0c1269619fd44edcdab5d979446d160d898256dea24a2f587437aa0dee57d7e303459ac8ebe2ae38a0700f1efe41f71f868490884b007aa0be6ce5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsmjn1v0\CSC38641137D7814893B5131B29D757690.TMP

Filesize
652B

MD5
13f881f7ad4bf7f59187347b38b5d621

SHA1
76b1919b797ab0e73a6ba85eb282ba118a97e617

SHA256
9c5967af06a98838b4f5deb4787bf6b79fe7d49d6627e3d39d38443772e3fddb

SHA512
a0292d14bca5771803676a33c807ec733f3230abae86027cffdc25bf9b52668af85980417b8cf127731e14a0e9555f8ead6f3ca739f83d41561455d17cdf2014

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsmjn1v0\hsmjn1v0.0.cs

Filesize
219B

MD5
b04c2616c36a0888c636a79e26cb5db8

SHA1
2498cd3bcba70b4f562f3dfb8be120b494628a29

SHA256
647a20a516bd6c1bf672137cf2d092312b74deb1dbebd1156b6fda2051d1728e

SHA512
fa62f60a5c0797e7d077b275592ef91af84e4d810b053f3da1ae08c84dc1037f9ebbe89b691e7ffa387e19ddb09c9c927a3cdfa9232a1a0c2c83db1f45b55f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hsmjn1v0\hsmjn1v0.cmdline

Filesize
369B

MD5
dd2d34508dd2f490ed04673ed4fa572e

SHA1
286b50bb883f5719c8dff9f36f7379e89024a9ae

SHA256
03a0ddd44071286b0849a2bc5f9102aa1e8712e78c87cc2cd99855129ef24e7f

SHA512
dd2bbcc1a215ac1edd39cf8665f7fe79d1f02afe2fbded5a8a5e0c2dcb1e7a605eed752788a33d6c5343ba0b9b96b0e3a46b0eee4fcbd4eb2bafd033a69fc536

Download Submit
memory/3796-8-0x0000018145600000-0x0000018145622000-memory.dmp

Filesize
136KB

Download
memory/3796-9-0x00007FFB89BD0000-0x00007FFB8A692000-memory.dmp

Filesize
10.8MB

Download
memory/3796-10-0x000001815D760000-0x000001815D770000-memory.dmp

Filesize
64KB

Download
memory/3796-11-0x000001815D760000-0x000001815D770000-memory.dmp

Filesize
64KB

Download
memory/3796-24-0x000001815D740000-0x000001815D748000-memory.dmp

Filesize
32KB

Download
memory/3796-28-0x00007FFB89BD0000-0x00007FFB8A692000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads