Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 06:07

General

  • Target

    easy-service-1.0.11/bin/register-this-path.win10.bat

  • Size

    77B

  • MD5

    3e136a9b9973643280cb3152412a58bf

  • SHA1

    784625d88b16b076c9a6c0e179bd02b06d6716a8

  • SHA256

    4d336d48ddb64566d990d74702d4b6a7cd4d3c093dae95e7e6bfb23ee9482f5d

  • SHA512

    b56292e56d4d2a5e5525854a71b67db11cb3f6a79acce89cd14e5c90de4ba9bf6ee332557a50c0ee01e020d292712b3e087fbf0156fed3641bfeaf25e4c5a33a

Score
6/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\register-this-path.win10.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Start-Process .\register-this-path.bat -Verb RunAs"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\register-this-path.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -c [Environment]::SetEnvironmentVariable('Path',[Environment]::GetEnvironmentVariable('Path','Machine')+';C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\','Machine')
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ACXXYAO944ZU949J7JKX.temp

    Filesize

    7KB

    MD5

    e6535dd2313ebbb73d853cc171f6e616

    SHA1

    9f413d6d5f227d6894412909af491564195625d3

    SHA256

    8934676afe43e5027451bfcf5b35c3b2505722018b0969db55fa0d58acf61f09

    SHA512

    6894c2b524d62363cb8996900eb585056fdfd95e5032612810dc53b4f77d1a13803d0e5eb678c5a36060d61ea589d7326cbd24bca02149483d35273971fffe03

  • memory/2712-4-0x000007FEF5A0E000-0x000007FEF5A0F000-memory.dmp

    Filesize

    4KB

  • memory/2712-5-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2712-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB

  • memory/2712-6-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2712-8-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2712-9-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2712-11-0x0000000002DCB000-0x0000000002E32000-memory.dmp

    Filesize

    412KB

  • memory/2712-10-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

    Filesize

    9.6MB