4c093503fc15521d72858350aa6da1bc271bb425d1640bf925c9caa641c695cf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fixed_token_grabber (1).bat
Size

19KB
MD5

49fae7a1882ffc5f399d87b67137a731
SHA1

7ba5ed655c599de4f05d9dc5c5ad367caa6f4ab3
SHA256

4c093503fc15521d72858350aa6da1bc271bb425d1640bf925c9caa641c695cf
SHA512

e3ced780a79d5c37b884be93cd5c8f782b19965352e6e4be28ac2441c2204df84cb6a7c948a0468727feff9a4069e97fdedc084105813a94078b7d6205582ff1
SSDEEP

384:DtbMSdVAg9120aNEkfYYGxQYUfPt7GusKrTt2OoXatpD:lCDfNEvYGxQYUfPt7GusKrTtHoXatpD

Score

10^/10

discovery execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
2264	powershell.exe
1600	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2860	cmd.exe
2104	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2260	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2328	ipconfig.exe
580	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2124	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2760	powershell.exe
2264	powershell.exe
1600	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	powershell.exe
2264	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2660	2840	cmd.exe	31
PID 2840 wrote to memory of 2660	2840	cmd.exe	31
PID 2840 wrote to memory of 2660	2840	cmd.exe	31
PID 2660 wrote to memory of 2692	2660	net.exe	32
PID 2660 wrote to memory of 2692	2660	net.exe	32
PID 2660 wrote to memory of 2692	2660	net.exe	32
PID 2840 wrote to memory of 2760	2840	cmd.exe	33
PID 2840 wrote to memory of 2760	2840	cmd.exe	33
PID 2840 wrote to memory of 2760	2840	cmd.exe	33
PID 2840 wrote to memory of 2580	2840	cmd.exe	34
PID 2840 wrote to memory of 2580	2840	cmd.exe	34
PID 2840 wrote to memory of 2580	2840	cmd.exe	34
PID 2840 wrote to memory of 2572	2840	cmd.exe	36
PID 2840 wrote to memory of 2572	2840	cmd.exe	36
PID 2840 wrote to memory of 2572	2840	cmd.exe	36
PID 2840 wrote to memory of 2600	2840	cmd.exe	37
PID 2840 wrote to memory of 2600	2840	cmd.exe	37
PID 2840 wrote to memory of 2600	2840	cmd.exe	37
PID 2840 wrote to memory of 2124	2840	cmd.exe	38
PID 2840 wrote to memory of 2124	2840	cmd.exe	38
PID 2840 wrote to memory of 2124	2840	cmd.exe	38
PID 2840 wrote to memory of 3004	2840	cmd.exe	40
PID 2840 wrote to memory of 3004	2840	cmd.exe	40
PID 2840 wrote to memory of 3004	2840	cmd.exe	40
PID 2840 wrote to memory of 2860	2840	cmd.exe	41
PID 2840 wrote to memory of 2860	2840	cmd.exe	41
PID 2840 wrote to memory of 2860	2840	cmd.exe	41
PID 2860 wrote to memory of 2104	2860	cmd.exe	42
PID 2860 wrote to memory of 2104	2860	cmd.exe	42
PID 2860 wrote to memory of 2104	2860	cmd.exe	42
PID 2840 wrote to memory of 2328	2840	cmd.exe	43
PID 2840 wrote to memory of 2328	2840	cmd.exe	43
PID 2840 wrote to memory of 2328	2840	cmd.exe	43
PID 2840 wrote to memory of 580	2840	cmd.exe	44
PID 2840 wrote to memory of 580	2840	cmd.exe	44
PID 2840 wrote to memory of 580	2840	cmd.exe	44
PID 2840 wrote to memory of 2260	2840	cmd.exe	45
PID 2840 wrote to memory of 2260	2840	cmd.exe	45
PID 2840 wrote to memory of 2260	2840	cmd.exe	45
PID 2840 wrote to memory of 2264	2840	cmd.exe	46
PID 2840 wrote to memory of 2264	2840	cmd.exe	46
PID 2840 wrote to memory of 2264	2840	cmd.exe	46
PID 2840 wrote to memory of 1600	2840	cmd.exe	47
PID 2840 wrote to memory of 1600	2840	cmd.exe	47
PID 2840 wrote to memory of 1600	2840	cmd.exe	47

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fixed_token_grabber (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  PID:2600
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2124
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2104
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:2328
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  PID:580
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
84e5cde8d6f8da30da6f23b4f86341d7

SHA1
b8ee28471e77b36dc61ea2dc649ac1352738740f

SHA256
c29e4d6c389bafada7d258c70be0bd89a3fe94a4210f50d0f2f77d9d38c113bc

SHA512
261d164d8ddf3fe2256ad11ff83c0dbf4ecf231872a93b7daa5f2b7f2feb578bb1faffcac9fe553372aff0f6e0b85b260c0ca634586c2be53d73098014c194f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
cf0d2c2095fd8dfa4580ca51d954ea4c

SHA1
f58b98b09b530e870a669597ac5d42bbe414b753

SHA256
eaf3e00e8b3c23a16122893110bb3af795fa89d0f3911604aa48b785c5ba6810

SHA512
6255f9f9089c014db3707e40320876b3a012608eb6f6d55a5e72ad7cd4f89104309d3e2644d8fd631f8a6313d2ffda8251b6845ba84301d178d5328fcc771eda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed06a80c63115d691015b07084db7e33

SHA1
4b6078f717eb678bc51a7e2f8b097dcce9ce330e

SHA256
fc0fd623b2be27af4c18a443effb3279c4fe7db10c34b70477435506a1d93f32

SHA512
42dbd44018d67d47d1e53e892790cf0dc7c905efbd53875a26ca5d45b98a1ab37051c20498f11f55dfd67076da16aabd3089c5d3b83f5f326e01a09bc3ad5cfa

Download Submit
memory/1600-120-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1600-119-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2264-55-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2264-54-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-8-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-13-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-11-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-9-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-10-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-4-0x000007FEF65CE000-0x000007FEF65CF000-memory.dmp

Filesize
4KB

Download
memory/2760-7-0x000007FEF6310000-0x000007FEF6CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2760-6-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2760-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download