a799783600bfc7c93074b7eace12f1ba2aed930e2beb67388e5b2158fe0b5ef6

Analysis

max time kernel
8s
max time network
20s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crusher.bat
Size

122B
MD5

e731ae3239030d9b1b59736da83678a0
SHA1

575add90f5dd29ca3821a809ef74be05cf12ecd8
SHA256

491e86387d7e5e677f1122851e92f19b6723f3772437fbf906e6b1fe8aa49967
SHA512

a0870ca77222301c817e7dd2a750ebb2aad9169544993a1e4541d4d638a448c67b6b9f1b0f20fa4728e2a1b28912bc682a04750355c1a3a8e285ed91c424f4a3

Score

8^/10

execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
2712	powershell.exe
2656	powershell.exe
2680	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-57-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1980-456-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 18 IoCs

evasion

pid	Process
2088	timeout.exe
2324	timeout.exe
2692	timeout.exe
1524	timeout.exe
2624	timeout.exe
1708	timeout.exe
812	timeout.exe
676	timeout.exe
1708	timeout.exe
2300	timeout.exe
1252	timeout.exe
1076	timeout.exe
2492	timeout.exe
960	timeout.exe
2404	timeout.exe
956	timeout.exe
2060	timeout.exe
952	timeout.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

Process Discovery

T1057

pid	Process
2008	tasklist.exe
2088	tasklist.exe
860	tasklist.exe
2820	tasklist.exe
2828	tasklist.exe
3040	tasklist.exe
2688	tasklist.exe
2980	tasklist.exe
2360	tasklist.exe
1956	tasklist.exe
1112	tasklist.exe
3044	tasklist.exe
1668	tasklist.exe
2240	tasklist.exe
2508	tasklist.exe
1512	tasklist.exe
1776	tasklist.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1980	nircmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2336	powershell.exe
2712	powershell.exe
2680	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2088	tasklist.exe
Token: SeDebugPrivilege	2360	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2336	2752	cmd.exe	29
PID 2752 wrote to memory of 2336	2752	cmd.exe	29
PID 2752 wrote to memory of 2336	2752	cmd.exe	29
PID 2752 wrote to memory of 2280	2752	cmd.exe	30
PID 2752 wrote to memory of 2280	2752	cmd.exe	30
PID 2752 wrote to memory of 2280	2752	cmd.exe	30
PID 2752 wrote to memory of 3008	2752	cmd.exe	31
PID 2752 wrote to memory of 3008	2752	cmd.exe	31
PID 2752 wrote to memory of 3008	2752	cmd.exe	31
PID 2752 wrote to memory of 2316	2752	cmd.exe	32
PID 2752 wrote to memory of 2316	2752	cmd.exe	32
PID 2752 wrote to memory of 2316	2752	cmd.exe	32
PID 2280 wrote to memory of 2680	2280	cmd.exe	36
PID 2280 wrote to memory of 2680	2280	cmd.exe	36
PID 2280 wrote to memory of 2680	2280	cmd.exe	36
PID 3008 wrote to memory of 2712	3008	cmd.exe	37
PID 3008 wrote to memory of 2712	3008	cmd.exe	37
PID 3008 wrote to memory of 2712	3008	cmd.exe	37
PID 2316 wrote to memory of 2656	2316	cmd.exe	38
PID 2316 wrote to memory of 2656	2316	cmd.exe	38
PID 2316 wrote to memory of 2656	2316	cmd.exe	38
PID 3008 wrote to memory of 392	3008	cmd.exe	39
PID 3008 wrote to memory of 392	3008	cmd.exe	39
PID 3008 wrote to memory of 392	3008	cmd.exe	39
PID 2280 wrote to memory of 1980	2280	cmd.exe	40
PID 2280 wrote to memory of 1980	2280	cmd.exe	40
PID 2280 wrote to memory of 1980	2280	cmd.exe	40
PID 2280 wrote to memory of 1980	2280	cmd.exe	40
PID 2316 wrote to memory of 2060	2316	cmd.exe	42
PID 2316 wrote to memory of 2060	2316	cmd.exe	42
PID 2316 wrote to memory of 2060	2316	cmd.exe	42
PID 2316 wrote to memory of 2088	2316	cmd.exe	71
PID 2316 wrote to memory of 2088	2316	cmd.exe	71
PID 2316 wrote to memory of 2088	2316	cmd.exe	71
PID 2316 wrote to memory of 2064	2316	cmd.exe	44
PID 2316 wrote to memory of 2064	2316	cmd.exe	44
PID 2316 wrote to memory of 2064	2316	cmd.exe	44
PID 2316 wrote to memory of 952	2316	cmd.exe	46
PID 2316 wrote to memory of 952	2316	cmd.exe	46
PID 2316 wrote to memory of 952	2316	cmd.exe	46
PID 2316 wrote to memory of 2360	2316	cmd.exe	47
PID 2316 wrote to memory of 2360	2316	cmd.exe	47
PID 2316 wrote to memory of 2360	2316	cmd.exe	47
PID 2316 wrote to memory of 1624	2316	cmd.exe	48
PID 2316 wrote to memory of 1624	2316	cmd.exe	48
PID 2316 wrote to memory of 1624	2316	cmd.exe	48
PID 2316 wrote to memory of 1252	2316	cmd.exe	49
PID 2316 wrote to memory of 1252	2316	cmd.exe	49
PID 2316 wrote to memory of 1252	2316	cmd.exe	49
PID 3008 wrote to memory of 1916	3008	cmd.exe	50
PID 3008 wrote to memory of 1916	3008	cmd.exe	50
PID 3008 wrote to memory of 1916	3008	cmd.exe	50
PID 2316 wrote to memory of 3040	2316	cmd.exe	51
PID 2316 wrote to memory of 3040	2316	cmd.exe	51
PID 2316 wrote to memory of 3040	2316	cmd.exe	51
PID 2316 wrote to memory of 2732	2316	cmd.exe	52
PID 2316 wrote to memory of 2732	2316	cmd.exe	52
PID 2316 wrote to memory of 2732	2316	cmd.exe	52
PID 2316 wrote to memory of 2692	2316	cmd.exe	53
PID 2316 wrote to memory of 2692	2316	cmd.exe	53
PID 2316 wrote to memory of 2692	2316	cmd.exe	53
PID 2316 wrote to memory of 2508	2316	cmd.exe	54
PID 2316 wrote to memory of 2508	2316	cmd.exe	54
PID 2316 wrote to memory of 2508	2316	cmd.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Crusher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K laughpayload.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\nircmd.exe
    nircmd mediaplay 100000000000000000000000 "laugh.mp3"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K windowpayload.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
    3⤵
    PID:392
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
    3⤵
    PID:1916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K freddurstpayload.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2060
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:952
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1252
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2732
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2692
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2608
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1076
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1776
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:1796
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:812
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:860
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2208
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2492
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2688
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:676
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2820
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2088
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2980
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:1840
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:960
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1956
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2112
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2324
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3044
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2404
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2828
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:652
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1708
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1112
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:2120
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2008
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2300
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1668
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:3044
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2624
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq Microsoft.Photos.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2240
- - C:\Windows\system32\find.exe
    find /I "Microsoft.Photos.exe"
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58d6ae691c2025e98d71537f2fa2a6af

SHA1
e548d2988e1d88a5340b678b8bee95cd8393bf61

SHA256
37670ecf2e39c090d1c50985e58a397d3e5acff75671926719b3c650b7dd84e5

SHA512
64656723bbe9f6baab014de6a55b0916eb88910d4fd0172d9dcbc415941ebf321c4ced056b6b7756cb76cdc9dcd1404d3900d1b249e696d4b16136e79d4642f0

Download Submit
memory/1980-456-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-107-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2336-7-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/2336-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2336-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2336-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2336-6-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2336-5-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2712-23-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2712-22-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download