fc5849da70e7d7f8dce61a0a2be4e7abe9bd3f258d7b2a5e17f06ba4ccf3df4f

Analysis

max time kernel
8s
max time network
0s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

18KB
MD5

9e8a097543258c3690cd0106993ace37
SHA1

b86a8522134cd761b6ee02facc7ea5d638182156
SHA256

fc5849da70e7d7f8dce61a0a2be4e7abe9bd3f258d7b2a5e17f06ba4ccf3df4f
SHA512

b316f2158d9f38cc026f8a8716b15539fb26ed679a6db8e8f7539cfce18881dea11431ecd511b8199522eca6634bdc3b701bc9273c9fb6391d17372de08e525a
SSDEEP

384:atb1dVAg9120aNEkfYYGxQYUfPt7GusKrTt2OoXatpK:EKDfNEvYGxQYUfPt7GusKrTtHoXatpK

Score

10^/10

execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1260614925127254239/hPTszA64BDlLUFi6Nz6it-WGRuGond_Culr2GunGmLJ-WLCQInme4bwtvraxVzwUYqIj

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1260614925127254239/hPTszA64BDlLUFi6Nz6it-WGRuGond_Culr2GunGmLJ-WLCQInme4bwtvraxVzwUYqIj

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3020	powershell.exe
1244	powershell.exe
2516	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1820	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2496	ipconfig.exe
608	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2560	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3020	powershell.exe
1244	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeDebugPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeRemoteShutdownPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: 33	2652	WMIC.exe
Token: 34	2652	WMIC.exe
Token: 35	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2956	WMIC.exe
Token: SeSecurityPrivilege	2956	WMIC.exe
Token: SeTakeOwnershipPrivilege	2956	WMIC.exe
Token: SeLoadDriverPrivilege	2956	WMIC.exe
Token: SeSystemProfilePrivilege	2956	WMIC.exe
Token: SeSystemtimePrivilege	2956	WMIC.exe
Token: SeProfSingleProcessPrivilege	2956	WMIC.exe
Token: SeIncBasePriorityPrivilege	2956	WMIC.exe
Token: SeCreatePagefilePrivilege	2956	WMIC.exe
Token: SeBackupPrivilege	2956	WMIC.exe
Token: SeRestorePrivilege	2956	WMIC.exe
Token: SeShutdownPrivilege	2956	WMIC.exe
Token: SeDebugPrivilege	2956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2956	WMIC.exe
Token: SeRemoteShutdownPrivilege	2956	WMIC.exe
Token: SeUndockPrivilege	2956	WMIC.exe
Token: SeManageVolumePrivilege	2956	WMIC.exe
Token: 33	2956	WMIC.exe
Token: 34	2956	WMIC.exe
Token: 35	2956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2956	WMIC.exe
Token: SeSecurityPrivilege	2956	WMIC.exe
Token: SeTakeOwnershipPrivilege	2956	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1244	powershell.exe
1244	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2996	1712	cmd.exe	32
PID 1712 wrote to memory of 2996	1712	cmd.exe	32
PID 1712 wrote to memory of 2996	1712	cmd.exe	32
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 2996 wrote to memory of 3000	2996	net.exe	33
PID 1712 wrote to memory of 3020	1712	cmd.exe	34
PID 1712 wrote to memory of 3020	1712	cmd.exe	34
PID 1712 wrote to memory of 3020	1712	cmd.exe	34
PID 1712 wrote to memory of 2652	1712	cmd.exe	35
PID 1712 wrote to memory of 2652	1712	cmd.exe	35
PID 1712 wrote to memory of 2652	1712	cmd.exe	35
PID 1712 wrote to memory of 2956	1712	cmd.exe	37
PID 1712 wrote to memory of 2956	1712	cmd.exe	37
PID 1712 wrote to memory of 2956	1712	cmd.exe	37
PID 1712 wrote to memory of 2856	1712	cmd.exe	38
PID 1712 wrote to memory of 2856	1712	cmd.exe	38
PID 1712 wrote to memory of 2856	1712	cmd.exe	38
PID 1712 wrote to memory of 2560	1712	cmd.exe	39
PID 1712 wrote to memory of 2560	1712	cmd.exe	39
PID 1712 wrote to memory of 2560	1712	cmd.exe	39
PID 1712 wrote to memory of 3024	1712	cmd.exe	41
PID 1712 wrote to memory of 3024	1712	cmd.exe	41
PID 1712 wrote to memory of 3024	1712	cmd.exe	41
PID 1712 wrote to memory of 2716	1712	cmd.exe	42
PID 1712 wrote to memory of 2716	1712	cmd.exe	42
PID 1712 wrote to memory of 2716	1712	cmd.exe	42
PID 2716 wrote to memory of 3036	2716	cmd.exe	43
PID 2716 wrote to memory of 3036	2716	cmd.exe	43
PID 2716 wrote to memory of 3036	2716	cmd.exe	43
PID 1712 wrote to memory of 2496	1712	cmd.exe	44
PID 1712 wrote to memory of 2496	1712	cmd.exe	44
PID 1712 wrote to memory of 2496	1712	cmd.exe	44
PID 1712 wrote to memory of 608	1712	cmd.exe	45
PID 1712 wrote to memory of 608	1712	cmd.exe	45
PID 1712 wrote to memory of 608	1712	cmd.exe	45
PID 1712 wrote to memory of 1820	1712	cmd.exe	46
PID 1712 wrote to memory of 1820	1712	cmd.exe	46
PID 1712 wrote to memory of 1820	1712	cmd.exe	46
PID 1712 wrote to memory of 1244	1712	cmd.exe	47
PID 1712 wrote to memory of 1244	1712	cmd.exe	47
PID 1712 wrote to memory of 1244	1712	cmd.exe	47
PID 1712 wrote to memory of 2516	1712	cmd.exe	48
PID 1712 wrote to memory of 2516	1712	cmd.exe	48
PID 1712 wrote to memory of 2516	1712	cmd.exe	48

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  PID:2856
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3036
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:2496
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  PID:608
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
b2ca73afeb3af6dc30ba8835a0a068c4

SHA1
d7bcfe89d5756521bf1d8ea3f44480eaf7c19f7d

SHA256
a6d5ef5d3cd8389137235f227450629de1d725d6a3140992b968fac0ec19badb

SHA512
9d1ac5a392ee3be365c275d6cd848957d17d362ed5ba8dc72aaf77e0e09e488331837592a68a74f8ec7de26863592a405d0823919e33b6aeb2b55b68c59879aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
e4916e4b343e4151db0f8eb38411219b

SHA1
328f78e44e5269217140c411a6aa8a734de245e7

SHA256
faeb87a9c303ddf311f908d62a62df808594b690a636827667d5234ffd4e300b

SHA512
feca2f1f6a96eef3391e3a48435637dcf75b643bdb94d0a6411c09efbeb4aa120d651a04b96ca683ab79c8c0ec7ba9e42a42e8867933125ee4748e3e87d19525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PKFANH7MMX55JDUZ4JVA.temp

Filesize
7KB

MD5
b713e2834fb1ee79ddb4cc98c6431f0d

SHA1
4fc6d6b1310a73d0955a552782faca95b45eca12

SHA256
1ff5d361163921d3de94e7b868723bb7bf5236ceee0b13ba48c9ea1834099112

SHA512
f5df4f8e00355253c0f98e3ee7ac55418b8ab6bae4f434c741e51d35695fbdde13d00d2950e8e5cc4cdbdf328921afbc1ca7bdef1d35e1ddbb6f779fabe465b5

Download Submit
memory/1244-54-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1244-53-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-118-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3020-8-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-12-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-10-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-9-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-7-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-4-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download
memory/3020-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/3020-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download