80b5ec95630e41ab434aa5173bf0e01d649c988c8a808f5c6dc9f5429ec6dea9

General

Target

Nursultan Alpha/start.bat
Size

330KB
MD5

4d51a6fcf1d1e0fbd616656feb5641f8
SHA1

c7cac69757bea9e7c820fce38f37d70ff08c146f
SHA256

2613a7f261d596639b1841cc59877b33d5027236b89ae6121f972625a504c48c
SHA512

7d06aebef47071ad253dffda6859849c9c473ba7b7a13079dfb0d758c9b4a468f875921993ae37d4cc5b1be5158102f263f29f1b04a2f84e0adef4f8b712650e
SSDEEP

6144:NgYR1+4N5cnf1HYyu9YgYj91ZfXzjIzK9LRzNPGua1q1qkH4oeO1CWVUNi9S9:NtYRY9a9DPzNYd1JkH4wbVs

Score

4^/10

defense_evasion

Malware Config

Signatures

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

372 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

372 powershell.exe
372 powershell.exe
372 powershell.exe

pid	process
372	powershell.exe

pid	process
372	powershell.exe
372	powershell.exe
372	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	372	powershell.exe
Token: SeIncreaseQuotaPrivilege	372	powershell.exe
Token: SeSecurityPrivilege	372	powershell.exe
Token: SeTakeOwnershipPrivilege	372	powershell.exe
Token: SeLoadDriverPrivilege	372	powershell.exe
Token: SeSystemProfilePrivilege	372	powershell.exe
Token: SeSystemtimePrivilege	372	powershell.exe
Token: SeProfSingleProcessPrivilege	372	powershell.exe
Token: SeIncBasePriorityPrivilege	372	powershell.exe
Token: SeCreatePagefilePrivilege	372	powershell.exe
Token: SeBackupPrivilege	372	powershell.exe
Token: SeRestorePrivilege	372	powershell.exe
Token: SeShutdownPrivilege	372	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeSystemEnvironmentPrivilege	372	powershell.exe
Token: SeRemoteShutdownPrivilege	372	powershell.exe
Token: SeUndockPrivilege	372	powershell.exe
Token: SeManageVolumePrivilege	372	powershell.exe
Token: 33	372	powershell.exe
Token: 34	372	powershell.exe
Token: 35	372	powershell.exe
Token: 36	372	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4156 wrote to memory of 3716	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 3716	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 2572	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 2572	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 2760	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 2760	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 1728	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 1728	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 4056	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 4056	4156	cmd.exe	findstr.exe
PID 4156 wrote to memory of 372	4156	cmd.exe	powershell.exe
PID 4156 wrote to memory of 372	4156	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:3716
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2572
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2760
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1728
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotDEbKM.bat

Filesize
188B

MD5
efbd5d5781ef79c05a56b97edf9228b1

SHA1
4d3e26689d111abdbd5f0d872532e5de1efe4599

SHA256
43842e162c505a78cdbb80ba1ae88d7c770f6943d6968ff1a0895acf3b9213e1

SHA512
82764fcf34549d975d17a662bca27afc1be610f4be0aa5840664e55f1d1fc572f5fae67f6f20e51bea5b16df6a7a54e949ebcb2ba55c8f00323ed7afe7cbc976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotYKoIC.bat

Filesize
13B

MD5
337065424ed27284c55b80741f912713

SHA1
0e99e1b388ae66a51a8ffeee3448c3509a694db8

SHA256
4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

SHA512
d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2krcugb2.3ps.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/372-55-0x00007FFB19313000-0x00007FFB19315000-memory.dmp

Filesize
8KB

Download
memory/372-65-0x0000026C9E720000-0x0000026C9E742000-memory.dmp

Filesize
136KB

Download
memory/372-66-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/372-67-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/372-68-0x0000026C9E780000-0x0000026C9E7AA000-memory.dmp

Filesize
168KB

Download
memory/372-69-0x0000026C9E780000-0x0000026C9E7A4000-memory.dmp

Filesize
144KB

Download
memory/372-72-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp

Filesize
10.8MB

Download
memory/372-73-0x00007FFB19310000-0x00007FFB19DD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing