21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YENB0G9CNCEL.bat
Size

1KB
MD5

0850bed86b58f6cc688a9bdc572cbb09
SHA1

4231a90ab16aa0486d28a07797977154c0407db6
SHA256

21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d
SHA512

75c7cc7977e4e641b02c7dea16dd4b0d11d1b867401cd11900d38b62698d3614125576d6ba1156d8e4843b19d081ce7399f9aa6e3539bf7f2692727d43d1578d

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
292	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
292	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	292	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 292	2296	cmd.exe	29
PID 2296 wrote to memory of 292	2296	cmd.exe	29
PID 2296 wrote to memory of 292	2296	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\YENB0G9CNCEL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -Command "& 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'; Start-Sleep -Seconds 6; & 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/292-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/292-6-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/292-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/292-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/292-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/292-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/292-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download