a799783600bfc7c93074b7eace12f1ba2aed930e2beb67388e5b2158fe0b5ef6

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowpayload.bat
Size

95B
MD5

e916c6a199e53fb7a8926b74aba02a73
SHA1

d9b06666d647e57df25d5aaa34c0b2449a68cc7e
SHA256

ccf335b3e5ddecc653338dfb68bf7c81062ba2b189c2e821775967590293bba1
SHA512

1918f8ea547390d43257c52d70275b5e438b0b0695afd381c59910efc5d2fa4f99ba29c248579c9a6eec8f8490cf4f5b025c0e827fd78a5317f60558a0de615b

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2804	1984	cmd.exe	29
PID 1984 wrote to memory of 2804	1984	cmd.exe	29
PID 1984 wrote to memory of 2804	1984	cmd.exe	29
PID 1984 wrote to memory of 2760	1984	cmd.exe	30
PID 1984 wrote to memory of 2760	1984	cmd.exe	30
PID 1984 wrote to memory of 2760	1984	cmd.exe	30
PID 1984 wrote to memory of 2596	1984	cmd.exe	31
PID 1984 wrote to memory of 2596	1984	cmd.exe	31
PID 1984 wrote to memory of 2596	1984	cmd.exe	31
PID 1984 wrote to memory of 2820	1984	cmd.exe	32
PID 1984 wrote to memory of 2820	1984	cmd.exe	32
PID 1984 wrote to memory of 2820	1984	cmd.exe	32
PID 1984 wrote to memory of 1680	1984	cmd.exe	33
PID 1984 wrote to memory of 1680	1984	cmd.exe	33
PID 1984 wrote to memory of 1680	1984	cmd.exe	33
PID 1984 wrote to memory of 1312	1984	cmd.exe	34
PID 1984 wrote to memory of 1312	1984	cmd.exe	34
PID 1984 wrote to memory of 1312	1984	cmd.exe	34
PID 1984 wrote to memory of 2452	1984	cmd.exe	35
PID 1984 wrote to memory of 2452	1984	cmd.exe	35
PID 1984 wrote to memory of 2452	1984	cmd.exe	35
PID 1984 wrote to memory of 1484	1984	cmd.exe	36
PID 1984 wrote to memory of 1484	1984	cmd.exe	36
PID 1984 wrote to memory of 1484	1984	cmd.exe	36
PID 1984 wrote to memory of 1616	1984	cmd.exe	39
PID 1984 wrote to memory of 1616	1984	cmd.exe	39
PID 1984 wrote to memory of 1616	1984	cmd.exe	39
PID 1984 wrote to memory of 268	1984	cmd.exe	40
PID 1984 wrote to memory of 268	1984	cmd.exe	40
PID 1984 wrote to memory of 268	1984	cmd.exe	40
PID 1984 wrote to memory of 2244	1984	cmd.exe	41
PID 1984 wrote to memory of 2244	1984	cmd.exe	41
PID 1984 wrote to memory of 2244	1984	cmd.exe	41
PID 1984 wrote to memory of 2720	1984	cmd.exe	42
PID 1984 wrote to memory of 2720	1984	cmd.exe	42
PID 1984 wrote to memory of 2720	1984	cmd.exe	42
PID 1984 wrote to memory of 544	1984	cmd.exe	43
PID 1984 wrote to memory of 544	1984	cmd.exe	43
PID 1984 wrote to memory of 544	1984	cmd.exe	43
PID 1984 wrote to memory of 2200	1984	cmd.exe	44
PID 1984 wrote to memory of 2200	1984	cmd.exe	44
PID 1984 wrote to memory of 2200	1984	cmd.exe	44
PID 1984 wrote to memory of 2848	1984	cmd.exe	45
PID 1984 wrote to memory of 2848	1984	cmd.exe	45
PID 1984 wrote to memory of 2848	1984	cmd.exe	45
PID 1984 wrote to memory of 2496	1984	cmd.exe	46
PID 1984 wrote to memory of 2496	1984	cmd.exe	46
PID 1984 wrote to memory of 2496	1984	cmd.exe	46
PID 1984 wrote to memory of 1988	1984	cmd.exe	47
PID 1984 wrote to memory of 1988	1984	cmd.exe	47
PID 1984 wrote to memory of 1988	1984	cmd.exe	47
PID 1984 wrote to memory of 1060	1984	cmd.exe	48
PID 1984 wrote to memory of 1060	1984	cmd.exe	48
PID 1984 wrote to memory of 1060	1984	cmd.exe	48
PID 1984 wrote to memory of 320	1984	cmd.exe	49
PID 1984 wrote to memory of 320	1984	cmd.exe	49
PID 1984 wrote to memory of 320	1984	cmd.exe	49
PID 1984 wrote to memory of 2968	1984	cmd.exe	50
PID 1984 wrote to memory of 2968	1984	cmd.exe	50
PID 1984 wrote to memory of 2968	1984	cmd.exe	50
PID 1984 wrote to memory of 816	1984	cmd.exe	51
PID 1984 wrote to memory of 816	1984	cmd.exe	51
PID 1984 wrote to memory of 816	1984	cmd.exe	51
PID 1984 wrote to memory of 2424	1984	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\windowpayload.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2760
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2596
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1680
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1312
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2452
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1484
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1616
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:268
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2244
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2720
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2496
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1988
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1060
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:320
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2424
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2092
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:1700
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lol.vbs"
  2⤵
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2804-4-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

Filesize
4KB

Download
memory/2804-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2804-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2804-7-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-8-0x0000000002CE4000-0x0000000002CE7000-memory.dmp

Filesize
12KB

Download
memory/2804-107-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download