ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd

Analysis

max time kernel
66s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DiagReport.bat
Size

1KB
MD5

b82606a6afb3777d62e35e8d9850faed
SHA1

13b5cd6ce43346eacc6d8334a251b429ca8d30f7
SHA256

0843361f05255e3970ed955171c20003238756c57137fef9ac19d29fbd49f9f6
SHA512

e2852b1862d9a3aaa52367ca885951e63bf519159cb5358131792c7dcfe5b3acd8f9282279af0323804f246f853ed7627c370d2ec541452995c9177bd115e9c6

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1616	powershell.exe
1616	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
3712	powershell.exe
3712	powershell.exe
5044	powershell.exe
5044	powershell.exe
760	powershell.exe
760	powershell.exe
5044	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1988	whoami.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1988	4412	cmd.exe	86
PID 4412 wrote to memory of 1988	4412	cmd.exe	86
PID 4412 wrote to memory of 1420	4412	cmd.exe	87
PID 4412 wrote to memory of 1420	4412	cmd.exe	87
PID 4412 wrote to memory of 1332	4412	cmd.exe	88
PID 4412 wrote to memory of 1332	4412	cmd.exe	88
PID 1332 wrote to memory of 1616	1332	cmd.exe	89
PID 1332 wrote to memory of 1616	1332	cmd.exe	89
PID 4412 wrote to memory of 1980	4412	cmd.exe	90
PID 4412 wrote to memory of 1980	4412	cmd.exe	90
PID 4412 wrote to memory of 3712	4412	cmd.exe	92
PID 4412 wrote to memory of 3712	4412	cmd.exe	92
PID 3712 wrote to memory of 760	3712	powershell.exe	93
PID 3712 wrote to memory of 760	3712	powershell.exe	93
PID 4412 wrote to memory of 5044	4412	cmd.exe	95
PID 4412 wrote to memory of 5044	4412	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DiagReport.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\whoami.exe
  whoami /Groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\find.exe
  find "S-1-16-12288"
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Get-ExecutionPolicy
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ExecutionPolicy
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file \"C:\Users\Admin\AppData\Local\Temp\DiagReport.ps1\"' -verb RunAs}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -file "C:\Users\Admin\AppData\Local\Temp\DiagReport.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy Restricted
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c2a26a05ae505fbff9a55a60fb799572

SHA1
c4d95c942bde11ee5ff563d521ef09a960ad5018

SHA256
12b045b5bfe391b1466e68e940d403d453607bbbf681af9545b7b1a7050f5c61

SHA512
1054a11a5357251a0177ac45efd4344c8204d35dd709fbcf6d91459d0c62e191b46f0006b75cdf60971391e5157051c7c8c056012df25e27bc69a1570ec1586e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1020B

MD5
1bdc311b0966dc2d527f82ed24771dcb

SHA1
e3d997f0c0d52a1fc8bec1dcd21c1261c5128956

SHA256
73d16698897a95ace0fe4adce783bd1d8c6e4f6c0b809116695d679ed328bc99

SHA512
2d17c27267f5af85f9b7c1a827f816e01962b3ea40dd4b18e0423c21feac058e341472520719490ce3c2239da8e04f4346b87d96f1b1ff2932f846f6e740f77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1ecjhzu.pw0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1616-10-0x00007FFDBC0B0000-0x00007FFDBCB71000-memory.dmp

Filesize
10.8MB

Download
memory/1616-12-0x00000220E9540000-0x00000220E9550000-memory.dmp

Filesize
64KB

Download
memory/1616-11-0x00000220E9540000-0x00000220E9550000-memory.dmp

Filesize
64KB

Download
memory/1616-15-0x00007FFDBC0B0000-0x00007FFDBCB71000-memory.dmp

Filesize
10.8MB

Download
memory/1616-5-0x00000220EAE50000-0x00000220EAE72000-memory.dmp

Filesize
136KB

Download
memory/1980-18-0x000001B63DB80000-0x000001B63DB90000-memory.dmp

Filesize
64KB

Download
memory/1980-17-0x00007FFDBC0B0000-0x00007FFDBCB71000-memory.dmp

Filesize
10.8MB

Download
memory/1980-30-0x00007FFDBC0B0000-0x00007FFDBCB71000-memory.dmp

Filesize
10.8MB

Download