5811bb28086931a963219fea0e0b570a246aaad020539e14fcde8bb8baeb5056

Analysis

max time kernel
24s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cwel.bat
Size

766B
MD5

b24375c5e020396d882d426b4053bc76
SHA1

d42da1731ca92ab647d8887b187220b3df45b3c7
SHA256

5811bb28086931a963219fea0e0b570a246aaad020539e14fcde8bb8baeb5056
SHA512

fb4d7bce6b42c36a208c3fdeabbbe64683bc30df23c4f07867414e2d521dce4ca5379e9e24395a2ea27f420e4f2cf926ed33af2a0fb28bf421fb845d38093bd2

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cwel.bat	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 876	1092	cmd.exe	83
PID 1092 wrote to memory of 876	1092	cmd.exe	83
PID 1092 wrote to memory of 412	1092	cmd.exe	84
PID 1092 wrote to memory of 412	1092	cmd.exe	84
PID 1092 wrote to memory of 3080	1092	cmd.exe	85
PID 1092 wrote to memory of 3080	1092	cmd.exe	85
PID 1092 wrote to memory of 1180	1092	cmd.exe	87
PID 1092 wrote to memory of 1180	1092	cmd.exe	87
PID 1092 wrote to memory of 1168	1092	cmd.exe	88
PID 1092 wrote to memory of 1168	1092	cmd.exe	88
PID 1092 wrote to memory of 4512	1092	cmd.exe	89
PID 1092 wrote to memory of 4512	1092	cmd.exe	89
PID 1092 wrote to memory of 3056	1092	cmd.exe	92
PID 1092 wrote to memory of 3056	1092	cmd.exe	92
PID 1092 wrote to memory of 1328	1092	cmd.exe	93
PID 1092 wrote to memory of 1328	1092	cmd.exe	93
PID 1092 wrote to memory of 816	1092	cmd.exe	94
PID 1092 wrote to memory of 816	1092	cmd.exe	94
PID 1092 wrote to memory of 3084	1092	cmd.exe	95
PID 1092 wrote to memory of 3084	1092	cmd.exe	95
PID 1092 wrote to memory of 628	1092	cmd.exe	98
PID 1092 wrote to memory of 628	1092	cmd.exe	98
PID 1092 wrote to memory of 380	1092	cmd.exe	99
PID 1092 wrote to memory of 380	1092	cmd.exe	99
PID 1092 wrote to memory of 4460	1092	cmd.exe	100
PID 1092 wrote to memory of 4460	1092	cmd.exe	100
PID 1092 wrote to memory of 2124	1092	cmd.exe	101
PID 1092 wrote to memory of 2124	1092	cmd.exe	101
PID 1092 wrote to memory of 1592	1092	cmd.exe	102
PID 1092 wrote to memory of 1592	1092	cmd.exe	102
PID 1092 wrote to memory of 3664	1092	cmd.exe	103
PID 1092 wrote to memory of 3664	1092	cmd.exe	103
PID 1092 wrote to memory of 1480	1092	cmd.exe	104
PID 1092 wrote to memory of 1480	1092	cmd.exe	104
PID 1092 wrote to memory of 4860	1092	cmd.exe	105
PID 1092 wrote to memory of 4860	1092	cmd.exe	105
PID 1092 wrote to memory of 5072	1092	cmd.exe	107
PID 1092 wrote to memory of 5072	1092	cmd.exe	107
PID 1092 wrote to memory of 1176	1092	cmd.exe	108
PID 1092 wrote to memory of 1176	1092	cmd.exe	108
PID 1092 wrote to memory of 4352	1092	cmd.exe	109
PID 1092 wrote to memory of 4352	1092	cmd.exe	109
PID 1092 wrote to memory of 1948	1092	cmd.exe	110
PID 1092 wrote to memory of 1948	1092	cmd.exe	110
PID 1092 wrote to memory of 4608	1092	cmd.exe	111
PID 1092 wrote to memory of 4608	1092	cmd.exe	111
PID 1092 wrote to memory of 1416	1092	cmd.exe	112
PID 1092 wrote to memory of 1416	1092	cmd.exe	112
PID 1092 wrote to memory of 4012	1092	cmd.exe	113
PID 1092 wrote to memory of 4012	1092	cmd.exe	113
PID 1092 wrote to memory of 532	1092	cmd.exe	116
PID 1092 wrote to memory of 532	1092	cmd.exe	116
PID 1092 wrote to memory of 1412	1092	cmd.exe	117
PID 1092 wrote to memory of 1412	1092	cmd.exe	117
PID 1092 wrote to memory of 5060	1092	cmd.exe	118
PID 1092 wrote to memory of 5060	1092	cmd.exe	118
PID 1092 wrote to memory of 2396	1092	cmd.exe	119
PID 1092 wrote to memory of 2396	1092	cmd.exe	119
PID 1092 wrote to memory of 3788	1092	cmd.exe	120
PID 1092 wrote to memory of 3788	1092	cmd.exe	120
PID 1092 wrote to memory of 1420	1092	cmd.exe	121
PID 1092 wrote to memory of 1420	1092	cmd.exe	121
PID 1092 wrote to memory of 4416	1092	cmd.exe	122
PID 1092 wrote to memory of 4416	1092	cmd.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cwel.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:876
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:412
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3080
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1180
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1168
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4512
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3056
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1328
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:816
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3084
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:628
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:380
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4460
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2124
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1592
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3664
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1480
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4860
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:5072
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1176
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4352
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1948
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4608
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1416
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4012
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:532
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1412
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:5060
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2396
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3788
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1420
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4416
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4912
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2644
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4508
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:5116
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3112
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:5088
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2064
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4128
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1376
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1928
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1792
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1012
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:876
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4280
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4848
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3748
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:3312
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1440
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:5116
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:516
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:1856
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4056
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2980
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4100
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4772
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:220
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4440
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:2368
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4484
- C:\Windows\system32\curl.exe
  curl https://i.ibb.co/GWVz7Jy/367403957-109903008870996-6270919633466208067-n.jpg -o FlyPawelBroszka.jpg
  2⤵
  PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FlyPawelBroszka.jpg

Filesize
221KB

MD5
641b14ca25a1e9aff13f788b3cb0e2d7

SHA1
7a779f28ae558741eddb4e687c553e504497b427

SHA256
a4ac34163c033ebab1405cb5637be2bd88c71f8a10cf13e69318558d680bb1ba

SHA512
1baf5e8e793965213f96f770ae4e8157718f7ad84551f4d2650baddea289725c6e9fc2304b9521d8c533550314665cf2f8478256008a97c90c3fedb307d84a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuckedbypawelbroszka.txt

Filesize
59B

MD5
c722bc7e87078774338dbda5562a69de

SHA1
096c467b53b05b185c77c4150aff2394cf34453f

SHA256
aa469a8582e017d2e2e406b59fc2fcc26ed35cf587ee331f92569c78cac17448

SHA512
9fc3b704c6cdf5e1a0f7c8fe8d58bafd66a88799cdd5e99a3d32c8623a61cbd96c0f516eb56164412df8a5786f9034f79a51625eaf4b365537a67c4b7d700c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuckedbypawelbroszka.txt

Filesize
67B

MD5
3fba2ce3e0fdb9b83407a4551a5d78d9

SHA1
8d52f9204a2ac7e1678f81e3cd8c34b097b52f5e

SHA256
c67639573190eeaad35bec4571893204993ed9d3fd568f288e8eaeee264708d1

SHA512
d26010eed3678cf5b4b74f51a7dcb48930137643477eac1edf82fbc5aef2784fae01a1f80d59a8958b89d59a04ad0fafe5fbbd26486e9af338310ff6825fbcd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cwel.bat

Filesize
766B

MD5
b24375c5e020396d882d426b4053bc76

SHA1
d42da1731ca92ab647d8887b187220b3df45b3c7

SHA256
5811bb28086931a963219fea0e0b570a246aaad020539e14fcde8bb8baeb5056

SHA512
fb4d7bce6b42c36a208c3fdeabbbe64683bc30df23c4f07867414e2d521dce4ca5379e9e24395a2ea27f420e4f2cf926ed33af2a0fb28bf421fb845d38093bd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads