2b9bd18500ea9ff7b8009b09fcd07f1acae0f4ca30c149c6df07be300a6a1ada

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 02:55

Target

jkshdy.dll.bat
Size

1KB
MD5

0e94b81e5a0e659e20c323ae9169b4e2
SHA1

f5073196909937218c7323fcdc68c160b2afdc56
SHA256

07e1d3a42ac1e36e7ce6faaee7ad3bd85cab10b7a8b3151a39fd1cdbc726db72
SHA512

14c96290e724d8b8aa6c46c9a4fbb6ad9e7e88653fefed7fb368aac91bce85e4d654e04d94575aaf8eca40dbe6b311647b9f3dbacd7279ba4d2a7c9acfcbb638

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2088	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2088	944	cmd.exe	29
PID 944 wrote to memory of 2088	944	cmd.exe	29
PID 944 wrote to memory of 2088	944	cmd.exe	29
PID 944 wrote to memory of 2196	944	cmd.exe	30
PID 944 wrote to memory of 2196	944	cmd.exe	30
PID 944 wrote to memory of 2196	944	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\jkshdy.dll.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - Runs ping.exe
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File C:\Users\service.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\service.ps1

Filesize
789B

MD5
aa2cd59ea141ff113f958c07463c6868

SHA1
3763ef8a8f3db01edec2d07c1a020ad42adf890d

SHA256
ab2df8cb646673257a9bcb55c4749afe0d112fc37729e23abd9b8adf33432c98

SHA512
847020a4124a4717be57a04edcfb7ae0becae481084f091c6fa31413498bf410ba482a5bae9b0adbe30db0f5c5585f964851e224a38c47fe75a7943f20c1129f

Download Submit
memory/2196-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2196-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2196-7-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-8-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2196-10-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-11-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2196-12-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2196-13-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2196-14-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

Filesize
9.6MB

Download