284ce68742c3aef65ece4c4d69227eb9415579960cab6b54219b0944867f015e

General

Target

celexxxx_obf.bat
Size

91.4MB
MD5

c2a9426d4cdf55793d93795f1d960b94
SHA1

67fba03d1d37f004d5ad1d2fe6913d8d7216bcba
SHA256

284ce68742c3aef65ece4c4d69227eb9415579960cab6b54219b0944867f015e
SHA512

be098a88d33894b1c45f635a9d9ed4154036e47b845369efb7ff292bd48ccb76f4f86647faa34ab0d30ecdeca418516afc34166fce5b27667963f16c2da9a970
SSDEEP

49152:q7vbJ+T+8qTuu9C15by4XCzHBvy8aQi9o1IKOqOm48DxY4vQngUEQZdYxOBahOlf:nnn

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeIncreaseQuotaPrivilege	2032	powershell.exe
Token: SeSecurityPrivilege	2032	powershell.exe
Token: SeTakeOwnershipPrivilege	2032	powershell.exe
Token: SeLoadDriverPrivilege	2032	powershell.exe
Token: SeSystemProfilePrivilege	2032	powershell.exe
Token: SeSystemtimePrivilege	2032	powershell.exe
Token: SeProfSingleProcessPrivilege	2032	powershell.exe
Token: SeIncBasePriorityPrivilege	2032	powershell.exe
Token: SeCreatePagefilePrivilege	2032	powershell.exe
Token: SeBackupPrivilege	2032	powershell.exe
Token: SeRestorePrivilege	2032	powershell.exe
Token: SeShutdownPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeSystemEnvironmentPrivilege	2032	powershell.exe
Token: SeRemoteShutdownPrivilege	2032	powershell.exe
Token: SeUndockPrivilege	2032	powershell.exe
Token: SeManageVolumePrivilege	2032	powershell.exe
Token: 33	2032	powershell.exe
Token: 34	2032	powershell.exe
Token: 35	2032	powershell.exe
Token: 36	2032	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1236	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2188	4844	cmd.exe	78
PID 4844 wrote to memory of 2188	4844	cmd.exe	78
PID 4844 wrote to memory of 2032	4844	cmd.exe	79
PID 4844 wrote to memory of 2032	4844	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\celexxxx_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\celexxxx_obf.bat"
  2⤵
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4896

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d3c1574e06e9c0ed4ddfecf7eda00476

SHA1
e90dcb7eeb77fdeee2883c9c99fea03c50f80eca

SHA256
0b643c95e32e8cb6c8ad9a28231243f3d028db10560130aabe10cd65c62dace7

SHA512
06a7e8fa4859fd6902e842760ab1be755247ced2cb5d5b92fda7e25483749d2a65acc7ada0dd351c943711eef033f152137aafc18b5283bf3c310737b8b7077b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
201df2af40c67cec53ff6f87f2f425e0

SHA1
218d83a9daf4270e74bc8243708143d64ccdd041

SHA256
664407fbfc1e1598355ccd822fbc5fe259f92d48e68eb81dad3dd81b33d1563b

SHA512
4cc98bcbb0d3bc53709fc96bf25cbd19f538541ef3b972c2a2578c8235cbfde8eed649c80c110971664a6a8e03ba9cd76e5b04b036ce8adf8286d6a1c565a673

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngermux4.orw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotkHdgQn.bat

Filesize
179B

MD5
5af6c8e7a365742051481a776df6fb91

SHA1
30313f40f3e007a573e65c41181c60efa8012495

SHA256
27a9ad3fda1dc91106c8f37c27602afb89dcc8d8328e07a4d44eeed2405db090

SHA512
0cd0885a4b815fd4146e7ab080d199308ff31371543241b3db2ec790893db3e419b62a35e205a00432cc1f9efe530c6bfa6323296e0e8865d4bfffad76bf7a9d

Download Submit
memory/2032-21-0x000001B3BC8B0000-0x000001B3BC8C0000-memory.dmp

Filesize
64KB

Download
memory/2032-23-0x000001B3BC8B0000-0x000001B3BC8C0000-memory.dmp

Filesize
64KB

Download
memory/2032-22-0x000001B3BC8B0000-0x000001B3BC8C0000-memory.dmp

Filesize
64KB

Download
memory/2032-24-0x000001B3BCD50000-0x000001B3BCD7A000-memory.dmp

Filesize
168KB

Download
memory/2032-25-0x000001B3BCD50000-0x000001B3BCD74000-memory.dmp

Filesize
144KB

Download
memory/2032-26-0x000001B3BC8B0000-0x000001B3BC8C0000-memory.dmp

Filesize
64KB

Download
memory/2032-29-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-20-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-19-0x000001B3A4760000-0x000001B3A4782000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing