7ee418f0f9a52187976c4e7ccaa0325379d6fd8713d1efdf4c243e37434d2b84

Analysis

max time kernel
131s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/07/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanNextgen2024/start.bat
Size

38KB
MD5

a4ba8094457ec4795146ecedc1c20399
SHA1

cee032a4697d2bcaf17e94fc33dbee590d11fe79
SHA256

23a2398271cb74a935fb935e335ec0da31b5f04229bc6243bb4c703bd5b20118
SHA512

d0fea3c59fc09f475255d8b62d69b727e18d13e2f6757faeb9f5dbd13ba13bf6d3cdb3cb56e291b6fe1300b1b6b0596cde091168873b56d7a816111dabc00e00
SSDEEP

384:UoNcVZ+jUGIi5JNOrMg6ORtBA2oPq4fejgDrO13Rc1v8gkDe0QRwC8WXW+rVyxnV:LNoZ+jUa5JNOgg6Q82oPq4fejvC6

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
216	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
216	powershell.exe
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2492	4864	cmd.exe	75
PID 4864 wrote to memory of 2492	4864	cmd.exe	75
PID 4864 wrote to memory of 2984	4864	cmd.exe	76
PID 4864 wrote to memory of 2984	4864	cmd.exe	76
PID 4864 wrote to memory of 3028	4864	cmd.exe	77
PID 4864 wrote to memory of 3028	4864	cmd.exe	77
PID 4864 wrote to memory of 2640	4864	cmd.exe	78
PID 4864 wrote to memory of 2640	4864	cmd.exe	78
PID 4864 wrote to memory of 2844	4864	cmd.exe	79
PID 4864 wrote to memory of 2844	4864	cmd.exe	79
PID 4864 wrote to memory of 1476	4864	cmd.exe	80
PID 4864 wrote to memory of 1476	4864	cmd.exe	80
PID 4864 wrote to memory of 4920	4864	cmd.exe	81
PID 4864 wrote to memory of 4920	4864	cmd.exe	81
PID 4864 wrote to memory of 3680	4864	cmd.exe	82
PID 4864 wrote to memory of 3680	4864	cmd.exe	82
PID 4864 wrote to memory of 204	4864	cmd.exe	83
PID 4864 wrote to memory of 204	4864	cmd.exe	83
PID 4864 wrote to memory of 216	4864	cmd.exe	84
PID 4864 wrote to memory of 216	4864	cmd.exe	84

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2984
- C:\Windows\system32\find.exe
  fInd
  2⤵
  PID:3028
- C:\Windows\system32\findstr.exe
  findstr /L /I set C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat
  2⤵
  PID:2640
- C:\Windows\system32\findstr.exe
  findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat
  2⤵
  PID:2844
- C:\Windows\system32\findstr.exe
  findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat
  2⤵
  PID:1476
- C:\Windows\system32\findstr.exe
  findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat
  2⤵
  PID:4920
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ucqpn2e.50w.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/216-6-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

Filesize
4KB

Download
memory/216-9-0x00000210CFED0000-0x00000210CFEF2000-memory.dmp

Filesize
136KB

Download
memory/216-12-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/216-13-0x00000210CFF80000-0x00000210CFFF6000-memory.dmp

Filesize
472KB

Download
memory/216-14-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download
memory/216-42-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

Filesize
9.9MB

Download