d4f13de0520e56d0174c637e16bffc9cb8e879eb3cba5623ef786c3955cb96b3

Analysis

max time kernel
90s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
02/06/2024, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cprcutor/open_me.bat
Size

3.5MB
MD5

1428e8b5ba2f69994c0b03698a898118
SHA1

4e893e5f844745e6a8e47e291ed425b5f44f1b53
SHA256

e064709e65f69feefedece379196d870f2dcc8d5c48c1b794ff8dc6eb96ff908
SHA512

6474054a1f6441d7445b2e10309a235d1b48d7551c4a9ed422fb1325ac3ca354a204604bd00728ca3c6e063ac910d4a0e442424c2538315c918d6048e9d8cb10
SSDEEP

3072:UxL9CvZ0gNS67Jvq0tH1obhNsRQNV14IlHDokfe5sio8HpF0twd/Z:U+SgNziGiboiNnNkB5jH3wO/Z

Score

7^/10

execution

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1556	powershell.exe
2576	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1556	powershell.exe
1556	powershell.exe
2576	powershell.exe
2576	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5104	WMIC.exe
Token: SeSecurityPrivilege	5104	WMIC.exe
Token: SeTakeOwnershipPrivilege	5104	WMIC.exe
Token: SeLoadDriverPrivilege	5104	WMIC.exe
Token: SeSystemProfilePrivilege	5104	WMIC.exe
Token: SeSystemtimePrivilege	5104	WMIC.exe
Token: SeProfSingleProcessPrivilege	5104	WMIC.exe
Token: SeIncBasePriorityPrivilege	5104	WMIC.exe
Token: SeCreatePagefilePrivilege	5104	WMIC.exe
Token: SeBackupPrivilege	5104	WMIC.exe
Token: SeRestorePrivilege	5104	WMIC.exe
Token: SeShutdownPrivilege	5104	WMIC.exe
Token: SeDebugPrivilege	5104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5104	WMIC.exe
Token: SeRemoteShutdownPrivilege	5104	WMIC.exe
Token: SeUndockPrivilege	5104	WMIC.exe
Token: SeManageVolumePrivilege	5104	WMIC.exe
Token: 33	5104	WMIC.exe
Token: 34	5104	WMIC.exe
Token: 35	5104	WMIC.exe
Token: 36	5104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5104	WMIC.exe
Token: SeSecurityPrivilege	5104	WMIC.exe
Token: SeTakeOwnershipPrivilege	5104	WMIC.exe
Token: SeLoadDriverPrivilege	5104	WMIC.exe
Token: SeSystemProfilePrivilege	5104	WMIC.exe
Token: SeSystemtimePrivilege	5104	WMIC.exe
Token: SeProfSingleProcessPrivilege	5104	WMIC.exe
Token: SeIncBasePriorityPrivilege	5104	WMIC.exe
Token: SeCreatePagefilePrivilege	5104	WMIC.exe
Token: SeBackupPrivilege	5104	WMIC.exe
Token: SeRestorePrivilege	5104	WMIC.exe
Token: SeShutdownPrivilege	5104	WMIC.exe
Token: SeDebugPrivilege	5104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5104	WMIC.exe
Token: SeRemoteShutdownPrivilege	5104	WMIC.exe
Token: SeUndockPrivilege	5104	WMIC.exe
Token: SeManageVolumePrivilege	5104	WMIC.exe
Token: 33	5104	WMIC.exe
Token: 34	5104	WMIC.exe
Token: 35	5104	WMIC.exe
Token: 36	5104	WMIC.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeIncreaseQuotaPrivilege	2576	powershell.exe
Token: SeSecurityPrivilege	2576	powershell.exe
Token: SeTakeOwnershipPrivilege	2576	powershell.exe
Token: SeLoadDriverPrivilege	2576	powershell.exe
Token: SeSystemProfilePrivilege	2576	powershell.exe
Token: SeSystemtimePrivilege	2576	powershell.exe
Token: SeProfSingleProcessPrivilege	2576	powershell.exe
Token: SeIncBasePriorityPrivilege	2576	powershell.exe
Token: SeCreatePagefilePrivilege	2576	powershell.exe
Token: SeBackupPrivilege	2576	powershell.exe
Token: SeRestorePrivilege	2576	powershell.exe
Token: SeShutdownPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeSystemEnvironmentPrivilege	2576	powershell.exe
Token: SeRemoteShutdownPrivilege	2576	powershell.exe
Token: SeUndockPrivilege	2576	powershell.exe
Token: SeManageVolumePrivilege	2576	powershell.exe
Token: 33	2576	powershell.exe
Token: 34	2576	powershell.exe
Token: 35	2576	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2632	1532	cmd.exe	79
PID 1532 wrote to memory of 2632	1532	cmd.exe	79
PID 1532 wrote to memory of 1256	1532	cmd.exe	80
PID 1532 wrote to memory of 1256	1532	cmd.exe	80
PID 1532 wrote to memory of 4412	1532	cmd.exe	81
PID 1532 wrote to memory of 4412	1532	cmd.exe	81
PID 1532 wrote to memory of 3292	1532	cmd.exe	82
PID 1532 wrote to memory of 3292	1532	cmd.exe	82
PID 3292 wrote to memory of 5104	3292	cmd.exe	83
PID 3292 wrote to memory of 5104	3292	cmd.exe	83
PID 1532 wrote to memory of 4764	1532	cmd.exe	85
PID 1532 wrote to memory of 4764	1532	cmd.exe	85
PID 1532 wrote to memory of 1556	1532	cmd.exe	86
PID 1532 wrote to memory of 1556	1532	cmd.exe	86
PID 1532 wrote to memory of 1564	1532	cmd.exe	87
PID 1532 wrote to memory of 1564	1532	cmd.exe	87
PID 1532 wrote to memory of 4224	1532	cmd.exe	88
PID 1532 wrote to memory of 4224	1532	cmd.exe	88
PID 1532 wrote to memory of 2132	1532	cmd.exe	89
PID 1532 wrote to memory of 2132	1532	cmd.exe	89
PID 1532 wrote to memory of 1828	1532	cmd.exe	90
PID 1532 wrote to memory of 1828	1532	cmd.exe	90
PID 1828 wrote to memory of 1796	1828	net.exe	91
PID 1828 wrote to memory of 1796	1828	net.exe	91
PID 1532 wrote to memory of 2576	1532	cmd.exe	92
PID 1532 wrote to memory of 2576	1532	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cprcutor\open_me.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cprcutor\open_me.bat"
  2⤵
  PID:2632
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cprcutor\open_me.bat"
  2⤵
  PID:1256
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cprcutor\open_me.bat"
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\cprcutor\open_me.bat"
  2⤵
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1564
- C:\Windows\system32\doskey.exe
  doskey CD=CACLS
  2⤵
  PID:4224
- C:\Windows\system32\doskey.exe
  doskey CD=COMP
  2⤵
  PID:2132
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zr4gi0an.bgf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cprcutor\kdotKcsuT.bat

Filesize
183B

MD5
fe2738ce0a55e032deb657d65d3a4328

SHA1
7a23e860fe58128b7fa5001e494bec459bb01d00

SHA256
b3ec4ecc682f69a41b756d7e9efb65c4f75711e95890ed6fabe5e5ebffa0760e

SHA512
fad368ebf6b6222f8a58b0ec894039bcfa1f41df0bb78f48118b220bc1f24f13721999064b3272fbfdde55d50bb0f5635d68ff2ec566c4e1882314f0829c1e7d

Download Submit
memory/1556-44-0x00007FFF1DEB3000-0x00007FFF1DEB5000-memory.dmp

Filesize
8KB

Download
memory/1556-53-0x00000190EBB40000-0x00000190EBB62000-memory.dmp

Filesize
136KB

Download
memory/1556-54-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/1556-55-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/1556-58-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Filesize
10.8MB

Download
memory/2576-73-0x000002D6552F0000-0x000002D655314000-memory.dmp

Filesize
144KB

Download
memory/2576-72-0x000002D6552F0000-0x000002D65531A000-memory.dmp

Filesize
168KB

Download