33dcd95439638e981fb1a579d46e07c95ab4fcd51b099465732b61bbfbc57ad8

Analysis

max time kernel
2s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.bat
Size

48KB
MD5

2fff45d947f58d67c63dc9b53ddc535a
SHA1

79e4493ee40668cf28739e2248daabb5c0d046d6
SHA256

33dcd95439638e981fb1a579d46e07c95ab4fcd51b099465732b61bbfbc57ad8
SHA512

9d76ead4884852184ad6f97c469efc39574e9ff954de61afab3d7fd766c868073f49cdf85a8107de4a190be6c89f9755b45d697f46deb51afe6ec210501514ba
SSDEEP

768:PXUP8yKxipykF7v5U43la1x29No+HsFTPl:fUPsmspl

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4876	3420	cmd.exe	79
PID 3420 wrote to memory of 4876	3420	cmd.exe	79
PID 3420 wrote to memory of 2800	3420	cmd.exe	80
PID 3420 wrote to memory of 2800	3420	cmd.exe	80
PID 3420 wrote to memory of 3832	3420	cmd.exe	81
PID 3420 wrote to memory of 3832	3420	cmd.exe	81
PID 3420 wrote to memory of 1668	3420	cmd.exe	82
PID 3420 wrote to memory of 1668	3420	cmd.exe	82
PID 3420 wrote to memory of 4008	3420	cmd.exe	83
PID 3420 wrote to memory of 4008	3420	cmd.exe	83
PID 3420 wrote to memory of 3516	3420	cmd.exe	84
PID 3420 wrote to memory of 3516	3420	cmd.exe	84
PID 3420 wrote to memory of 3148	3420	cmd.exe	85
PID 3420 wrote to memory of 3148	3420	cmd.exe	85
PID 3420 wrote to memory of 996	3420	cmd.exe	86
PID 3420 wrote to memory of 996	3420	cmd.exe	86
PID 3420 wrote to memory of 3104	3420	cmd.exe	87
PID 3420 wrote to memory of 3104	3420	cmd.exe	87
PID 3420 wrote to memory of 4292	3420	cmd.exe	88
PID 3420 wrote to memory of 4292	3420	cmd.exe	88
PID 3420 wrote to memory of 864	3420	cmd.exe	89
PID 3420 wrote to memory of 864	3420	cmd.exe	89
PID 3420 wrote to memory of 1224	3420	cmd.exe	90
PID 3420 wrote to memory of 1224	3420	cmd.exe	90
PID 3420 wrote to memory of 3704	3420	cmd.exe	91
PID 3420 wrote to memory of 3704	3420	cmd.exe	91
PID 3420 wrote to memory of 4232	3420	cmd.exe	92
PID 3420 wrote to memory of 4232	3420	cmd.exe	92
PID 3420 wrote to memory of 1600	3420	cmd.exe	93
PID 3420 wrote to memory of 1600	3420	cmd.exe	93
PID 3420 wrote to memory of 3936	3420	cmd.exe	94
PID 3420 wrote to memory of 3936	3420	cmd.exe	94
PID 3420 wrote to memory of 4148	3420	cmd.exe	95
PID 3420 wrote to memory of 4148	3420	cmd.exe	95
PID 3420 wrote to memory of 4516	3420	cmd.exe	96
PID 3420 wrote to memory of 4516	3420	cmd.exe	96
PID 3420 wrote to memory of 3688	3420	cmd.exe	97
PID 3420 wrote to memory of 3688	3420	cmd.exe	97
PID 3420 wrote to memory of 3732	3420	cmd.exe	98
PID 3420 wrote to memory of 3732	3420	cmd.exe	98
PID 3420 wrote to memory of 1580	3420	cmd.exe	99
PID 3420 wrote to memory of 1580	3420	cmd.exe	99
PID 3420 wrote to memory of 3024	3420	cmd.exe	100
PID 3420 wrote to memory of 3024	3420	cmd.exe	100
PID 3420 wrote to memory of 3348	3420	cmd.exe	101
PID 3420 wrote to memory of 3348	3420	cmd.exe	101
PID 3420 wrote to memory of 1088	3420	cmd.exe	102
PID 3420 wrote to memory of 1088	3420	cmd.exe	102
PID 3420 wrote to memory of 1084	3420	cmd.exe	103
PID 3420 wrote to memory of 1084	3420	cmd.exe	103
PID 3420 wrote to memory of 1616	3420	cmd.exe	104
PID 3420 wrote to memory of 1616	3420	cmd.exe	104
PID 3420 wrote to memory of 4896	3420	cmd.exe	105
PID 3420 wrote to memory of 4896	3420	cmd.exe	105
PID 3420 wrote to memory of 3620	3420	cmd.exe	106
PID 3420 wrote to memory of 3620	3420	cmd.exe	106
PID 3420 wrote to memory of 4404	3420	cmd.exe	107
PID 3420 wrote to memory of 4404	3420	cmd.exe	107
PID 3420 wrote to memory of 2332	3420	cmd.exe	108
PID 3420 wrote to memory of 2332	3420	cmd.exe	108
PID 3420 wrote to memory of 4652	3420	cmd.exe	109
PID 3420 wrote to memory of 4652	3420	cmd.exe	109
PID 3420 wrote to memory of 2148	3420	cmd.exe	110
PID 3420 wrote to memory of 2148	3420	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\download.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\system32\cmd.exe
  cmd /c exit 97
  2⤵
  PID:4876
- C:\Windows\system32\cmd.exe
  cmd /c exit 98
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  cmd /c exit 99
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  cmd /c exit 100
  2⤵
  PID:1668
- C:\Windows\system32\cmd.exe
  cmd /c exit 101
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  cmd /c exit 102
  2⤵
  PID:3516
- C:\Windows\system32\cmd.exe
  cmd /c exit 103
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  cmd /c exit 104
  2⤵
  PID:996
- C:\Windows\system32\cmd.exe
  cmd /c exit 105
  2⤵
  PID:3104
- C:\Windows\system32\cmd.exe
  cmd /c exit 106
  2⤵
  PID:4292
- C:\Windows\system32\cmd.exe
  cmd /c exit 107
  2⤵
  PID:864
- C:\Windows\system32\cmd.exe
  cmd /c exit 108
  2⤵
  PID:1224
- C:\Windows\system32\cmd.exe
  cmd /c exit 109
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd /c exit 110
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd /c exit 111
  2⤵
  PID:1600
- C:\Windows\system32\cmd.exe
  cmd /c exit 112
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  cmd /c exit 113
  2⤵
  PID:4148
- C:\Windows\system32\cmd.exe
  cmd /c exit 114
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  cmd /c exit 115
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  cmd /c exit 116
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  cmd /c exit 117
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  cmd /c exit 118
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  cmd /c exit 119
  2⤵
  PID:3348
- C:\Windows\system32\cmd.exe
  cmd /c exit 120
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  cmd /c exit 121
  2⤵
  PID:1084
- C:\Windows\system32\cmd.exe
  cmd /c exit 122
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  cmd /c exit 65
  2⤵
  PID:4896
- C:\Windows\system32\cmd.exe
  cmd /c exit 66
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  cmd /c exit 67
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  cmd /c exit 68
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  cmd /c exit 69
  2⤵
  PID:4652
- C:\Windows\system32\cmd.exe
  cmd /c exit 70
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  cmd /c exit 71
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  cmd /c exit 72
  2⤵
  PID:4804
- C:\Windows\system32\cmd.exe
  cmd /c exit 73
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd /c exit 74
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  cmd /c exit 75
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  cmd /c exit 76
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  cmd /c exit 77
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd /c exit 78
  2⤵
  PID:4104
- C:\Windows\system32\cmd.exe
  cmd /c exit 79
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  cmd /c exit 80
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  cmd /c exit 81
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  cmd /c exit 82
  2⤵
  PID:2848
- C:\Windows\system32\cmd.exe
  cmd /c exit 83
  2⤵
  PID:5060
- C:\Windows\system32\cmd.exe
  cmd /c exit 84
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  cmd /c exit 85
  2⤵
  PID:1244
- C:\Windows\system32\cmd.exe
  cmd /c exit 86
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  cmd /c exit 87
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  cmd /c exit 88
  2⤵
  PID:2076
- C:\Windows\system32\cmd.exe
  cmd /c exit 89
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  cmd /c exit 90
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  cmd /c exit 48
  2⤵
  PID:4396
- C:\Windows\system32\cmd.exe
  cmd /c exit 49
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  cmd /c exit 50
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  cmd /c exit 51
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  cmd /c exit 52
  2⤵
  PID:1508
- C:\Windows\system32\cmd.exe
  cmd /c exit 53
  2⤵
  PID:2152
- C:\Windows\system32\cmd.exe
  cmd /c exit 54
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd /c exit 55
  2⤵
  PID:604
- C:\Windows\system32\cmd.exe
  cmd /c exit 56
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  cmd /c exit 57
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  cmd /c exit 123
  2⤵
  PID:764
- C:\Windows\system32\cmd.exe
  cmd /c exit 125
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  cmd /c exit 63
  2⤵
  PID:1648
- C:\Windows\system32\cmd.exe
  cmd /c exit 58
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  cmd /c exit 46
  2⤵
  PID:3372
- C:\Windows\system32\cmd.exe
  cmd /c exit 61
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  cmd /c exit 44
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  cmd /c exit 95
  2⤵
  PID:4624
- C:\Windows\system32\cmd.exe
  cmd /c exit 45
  2⤵
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuf3ooyn.k2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2324-0-0x000001F1D5D00000-0x000001F1D5D22000-memory.dmp

Filesize
136KB

Download