a01e856d8abfad738ddd144e89829449bd8bad1ef0dd9e5696f56677bd5a9091

Analysis

max time kernel
50s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_obf.bat
Size

4.1MB
MD5

d2bc4e91ca71cb36242afd918caa9ff7
SHA1

9a3aad8e5fdf1fc8cafde83f9dbb770818d02ea4
SHA256

a01e856d8abfad738ddd144e89829449bd8bad1ef0dd9e5696f56677bd5a9091
SHA512

9b553bfcdcaffbe08806b564791df639194aa84fba79c6a8dfb40ae775297962ed4ff7354f0b1f804ea4c69ed4155a43944da3da5da927a73bfec85718523f02
SSDEEP

12288:gqwELKXtBixbDxOM69SQAsRZ4UEnS/h2ehVqNo+ZdtipArCDvLAQwMnNL:gWLSxIwZxeS/hPENXHt3fc

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
4580	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	powershell.exe
2180	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe
Token: SeDebugPrivilege	4580	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 2760	748	cmd.exe	89
PID 748 wrote to memory of 2760	748	cmd.exe	89
PID 748 wrote to memory of 2180	748	cmd.exe	90
PID 748 wrote to memory of 2180	748	cmd.exe	90
PID 2180 wrote to memory of 3700	2180	powershell.exe	91
PID 2180 wrote to memory of 3700	2180	powershell.exe	91
PID 2180 wrote to memory of 4580	2180	powershell.exe	93
PID 2180 wrote to memory of 4580	2180	powershell.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\setup_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\setup_obf.bat"
  2⤵
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:3636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qntgi0it.cwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotegUyfm.bat

Filesize
176B

MD5
91cf46ca2a75234967c79e98f6ec8c32

SHA1
d9b7edee1e7d57ab5f7739792753f3cb537ac285

SHA256
42f889a964899c7c4a43f177ae6961c915b3d01e7ae212563563e23e89b44c06

SHA512
a72c54d52a5d1b57c2565bd65f5da6ed3fc64474427bde14a58256fd3f59a812c73d6bdac347d83904bbdf17a290789cc2ce7438d2b0bddbe55e38fd73d2a831

Download Submit
memory/2180-11-0x00007FFCC2FB3000-0x00007FFCC2FB5000-memory.dmp

Filesize
8KB

Download
memory/2180-12-0x000001FA6C1C0000-0x000001FA6C1E2000-memory.dmp

Filesize
136KB

Download
memory/2180-22-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

Filesize
10.8MB

Download
memory/2180-23-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

Filesize
10.8MB

Download
memory/2180-26-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

Filesize
10.8MB

Download