97ecb8217d2c20b00045fc10351bd554c1b346fd8aad64aea8aae3ee0db230e4

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

update-vita3k.bat
Size

2KB
MD5

3835ec952c7985bf0768658aacb6123d
SHA1

c86f211d67eb44dbed940746289f7a50a6396c8a
SHA256

8329ef6dcb8d266a0cbb722bdccdf582a59ef4fa034cf1617a8b44c6c66247a6
SHA512

9b11c5c0cea3644346680aecb581fcd5520c52713d66863cb249e8a2971c9c0997c45461e63b8490342b2faf332b7d2c397f0821e201bab45edd6f01801f738c

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	4072	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4072	powershell.exe
3300	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4824	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4072	powershell.exe
4072	powershell.exe
3300	powershell.exe
3300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4824	4948	cmd.exe	87
PID 4948 wrote to memory of 4824	4948	cmd.exe	87
PID 4948 wrote to memory of 3240	4948	cmd.exe	88
PID 4948 wrote to memory of 3240	4948	cmd.exe	88
PID 3240 wrote to memory of 4072	3240	cmd.exe	89
PID 3240 wrote to memory of 4072	3240	cmd.exe	89
PID 4948 wrote to memory of 1980	4948	cmd.exe	91
PID 4948 wrote to memory of 1980	4948	cmd.exe	91
PID 1980 wrote to memory of 3300	1980	cmd.exe	92
PID 1980 wrote to memory of 3300	1980	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\update-vita3k.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell "((Invoke-RestMethod https://api.github.com/repos/Vita3K/Vita3K/releases/latest -timeout 2).body.Split("\"`n"\") | Select-String -Pattern 'Vita3K Build:') -replace 'Vita3K Build: '"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "((Invoke-RestMethod https://api.github.com/repos/Vita3K/Vita3K/releases/latest -timeout 2).body.Split("\"`n"\") | Select-String -Pattern 'Vita3K Build:') -replace 'Vita3K Build: '"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell "((Get-Item Vita3K.exe).VersionInfo.FileVersion) -replace '0.2.0.'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "((Get-Item Vita3K.exe).VersionInfo.FileVersion) -replace '0.2.0.'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
eb84cf3992100584ad60675ff8fc1867

SHA1
ebae74210a6d72320fd424f4da9328967f6ded48

SHA256
27983f75d9518ed67a5a274c97cbecbf881d4e5d766e6019f53eed0ea7fa5486

SHA512
8722b9df8114f19f64cf7ba266991fe7a3056183006ebedbdfa9fb4d49398e5626093006648cb5685b3f84bd44f3fd0d9c8a487e9d1fc4fe6d55dd000b2ce55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e4107f0d34f6098c25c6f2b88da5863

SHA1
f65553d3d9f60229cd851962cf5c87619777dd89

SHA256
ab0fb6d70fdd608deefa81402895ccaccd72c9bdb6787bde70ebdd2e8031f567

SHA512
179d87d4a4f71fdb38ee79812b450e1f99f544244c3cd5bca7492a19a7fbac2cb7951b9ddeb5cff36d87ff48f724d213a64ade4a6f641d2c073714c8a2e650fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbid0mvk.env.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4072-0-0x00007FFC99DD3000-0x00007FFC99DD5000-memory.dmp

Filesize
8KB

Download
memory/4072-6-0x0000027E5AFC0000-0x0000027E5AFE2000-memory.dmp

Filesize
136KB

Download
memory/4072-11-0x00007FFC99DD0000-0x00007FFC9A891000-memory.dmp

Filesize
10.8MB

Download
memory/4072-12-0x00007FFC99DD0000-0x00007FFC9A891000-memory.dmp

Filesize
10.8MB

Download
memory/4072-13-0x0000027E5D810000-0x0000027E5D9D2000-memory.dmp

Filesize
1.8MB

Download
memory/4072-14-0x0000027E5DF10000-0x0000027E5E438000-memory.dmp

Filesize
5.2MB

Download
memory/4072-17-0x00007FFC99DD0000-0x00007FFC9A891000-memory.dmp

Filesize
10.8MB

Download