ece1e7c9a353c726477a36d2ee79a3db1228a6d3142460f029433f29aedc233b

General

Target

test.bat
Size

1KB
MD5

81a7089c8a688fc973dea87a346a2538
SHA1

add255a1b8a15f6b6791845feafc7c8506fb5e83
SHA256

ece1e7c9a353c726477a36d2ee79a3db1228a6d3142460f029433f29aedc233b
SHA512

b6ed704846da2e887531b37b04029041927cbaf294f50629ea0795e57fb2548df80aeee73213e336f1d873cc92c4fd9d458edf09eb75412eb7d94999187c2b60

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
364	powershell.exe
3744	powershell.exe
4912	powershell.exe
1544	powershell.exe
3272	powershell.exe
672	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
1544	powershell.exe
1544	powershell.exe
1544	powershell.exe
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
364	powershell.exe
364	powershell.exe
364	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
672	powershell.exe
672	powershell.exe
364	powershell.exe
364	powershell.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
672	powershell.exe
672	powershell.exe
364	powershell.exe
364	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 4912	424	cmd.exe	74
PID 424 wrote to memory of 4912	424	cmd.exe	74
PID 424 wrote to memory of 1544	424	cmd.exe	75
PID 424 wrote to memory of 1544	424	cmd.exe	75
PID 424 wrote to memory of 3272	424	cmd.exe	76
PID 424 wrote to memory of 3272	424	cmd.exe	76
PID 424 wrote to memory of 672	424	cmd.exe	77
PID 424 wrote to memory of 672	424	cmd.exe	77
PID 424 wrote to memory of 364	424	cmd.exe	78
PID 424 wrote to memory of 364	424	cmd.exe	78
PID 424 wrote to memory of 3744	424	cmd.exe	79
PID 424 wrote to memory of 3744	424	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Dostales Virusa', 'batch', 'OK', [System.Windows.Forms.MessageBoxIcon]::Error);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.Interaction]::InputBox('Wpisz swoje Haslo:', 'Box')}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('You have entered: ', '5323');}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $notify = New-Object System.Windows.Forms.NotifyIcon; $notify.Icon = [System.Drawing.SystemIcons]::Information; $notify.Visible = $true; $notify.ShowBalloonTip(0, 'Zostales Odhackowany', 'Wpisales Poprawne Haslo.', [System.Windows.Forms.ToolTipIcon]::None)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $notify = New-Object System.Windows.Forms.NotifyIcon; $notify.Icon = [System.Drawing.SystemIcons]::Information; $notify.Visible = $true; $notify.ShowBalloonTip(0, 'Windows', 'Dzieki za Uratowanie Mnie.', [System.Windows.Forms.ToolTipIcon]::None)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.Interaction]::InputBox('Wpisz swoje Haslo:', 'Box')}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
83c4d165396a8d52c62d0f9a4687717c

SHA1
050a6b76f55e468e8868e31bbc91b54e94f3bc3e

SHA256
de384fc72d8814c341ab8b8e009679dafdbd3a7ef751f1a01199a1d984a42bde

SHA512
670c8812a1635ff4fed4c26ac0198cd905e74a8f8045217a77e0447acc62ca761586ad9cb93fd3e81533ebda88bccfcfac5dbce814f193901840e85558e13ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5551ac56f33ee5c7911aa9fcc358886d

SHA1
c7cc504583256fc6df15b037d0370cc236ed6af9

SHA256
d2baaf5091404e5197d171f7b49615779347a362878e9e88ea60424c8a3122c1

SHA512
58105b83f52b816e1bd8b297cf7a79b4f95a08b055caa8be96e6fbb5005d1c15258aef303854d3b3797118eccdc725247991e6c937ee5a367bbd6e3838d662e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06a874d7b5f0ff737c8a72c7f9b600e6

SHA1
ba4e53fbf997c690753307afdd685b91783fb03b

SHA256
8195d67336c25ba11cf8184b751430b700e43d7b27b992d861386fdd2f59d0d8

SHA512
2e6569ae2c7ffcefdb4665bf600ace117ecafb80fe71b46a79dcf2928a12f048622853ee2d94bb82fcc3d2e249825186d32da6d78d0aa8509a38602a7c5f42b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f62da5c46de43d24dd3a68df49b5f509

SHA1
4153a08a1949e1f9a0a591c24816f6854a88dc2c

SHA256
7dd3cab7afa5a5ace8936b035672eacd0c1d554905031dcee5afeb0c6b0af532

SHA512
3235ba29dea0a3695f6716b783669081c01547746a6c869c14aaa6337f15944adc2510d92c36a45bc8e8151b6c2f2f1e1fd929a89464022f5925edfd3ef28d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1939ffe3483ef9b3a52d4ff745362e8f

SHA1
296c7eedb452b788905e60513f96d451aad279bf

SHA256
ecaaf1c56bf30a5fa18233c090cff780ceac85b59be2084f819293fc03bfe60c

SHA512
c22195831c901478bd7be76456de4545cf177d414a6904cb3ff2ff676cf821d68b3e3f6db8def661b454b9e48708f872f2b50af38074e30b645565582082b65f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b42ff4281e248e933206a0ba409e6e5

SHA1
e6e34b35fb643ef07ad09fb85a49f43d300f046e

SHA256
6f6329f8673c439858a882931806be7ce30a0a73c74c39dd9f6710d658f01bef

SHA512
532a8ee917c88ca19fcb2cd86a9aa79c4ec67634ca50469f294578ec7f8120b31915f9e6fb2963594e1be4e8d736bb719e469a6349bbde4ad03271a1e8592a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1hor2vu.l0f.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.tmp

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/1544-79-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/1544-47-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/1544-48-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/1544-49-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/1544-83-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4912-0-0x00007FFF29BE3000-0x00007FFF29BE4000-memory.dmp

Filesize
4KB

Download
memory/4912-41-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4912-9-0x0000022723CC0000-0x0000022723D36000-memory.dmp

Filesize
472KB

Download
memory/4912-10-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4912-6-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4912-5-0x0000022723AF0000-0x0000022723B12000-memory.dmp

Filesize
136KB

Download
memory/4912-40-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing