Overview

overview

6

Static

static

3

easy-servi...et.dll

windows7-x64

1

easy-servi...et.dll

windows10-2004-x64

1

easy-servi...th.bat

windows7-x64

6

easy-servi...th.bat

windows10-2004-x64

6

easy-servi...10.bat

windows7-x64

6

easy-servi...10.bat

windows10-2004-x64

6

easy-servi...vc.exe

windows7-x64

1

easy-servi...vc.exe

windows10-2004-x64

1

easy-servi...er.exe

windows7-x64

1

easy-servi...er.exe

windows10-2004-x64

1

easy-servi...dex.js

windows7-x64

3

easy-servi...dex.js

windows10-2004-x64

3

easy-servi...ain.py

windows7-x64

3

easy-servi...ain.py

windows10-2004-x64

3

easy-servi...onf.js

windows7-x64

3

easy-servi...onf.js

windows10-2004-x64

3

easy-servi...ibs.js

windows7-x64

3

easy-servi...ibs.js

windows10-2004-x64

3

easy-servi...ain.js

windows7-x64

3

easy-servi...ain.js

windows10-2004-x64

3

easy-servi...ger.js

windows7-x64

3

easy-servi...ger.js

windows10-2004-x64

3

easy-servi...ker.js

windows7-x64

3

easy-servi...ker.js

windows10-2004-x64

3

easy-servi...ils.js

windows7-x64

3

easy-servi...ils.js

windows10-2004-x64

3

easy-servi...ker.js

windows7-x64

3

easy-servi...ker.js

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 06:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    easy-service-1.0.11/bin/register-this-path.win10.bat

  • Size

    77B

  • MD5

    3e136a9b9973643280cb3152412a58bf

  • SHA1

    784625d88b16b076c9a6c0e179bd02b06d6716a8

  • SHA256

    4d336d48ddb64566d990d74702d4b6a7cd4d3c093dae95e7e6bfb23ee9482f5d

  • SHA512

    b56292e56d4d2a5e5525854a71b67db11cb3f6a79acce89cd14e5c90de4ba9bf6ee332557a50c0ee01e020d292712b3e087fbf0156fed3641bfeaf25e4c5a33a

Score
6/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\register-this-path.win10.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c "Start-Process .\register-this-path.bat -Verb RunAs"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\register-this-path.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -c [Environment]::SetEnvironmentVariable('Path',[Environment]::GetEnvironmentVariable('Path','Machine')+';C:\Users\Admin\AppData\Local\Temp\easy-service-1.0.11\bin\','Machine')
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5caad758326454b5788ec35315c4c304

          SHA1

          3aef8dba8042662a7fcf97e51047dc636b4d4724

          SHA256

          83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

          SHA512

          4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxchvavn.b2p.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/3660-17-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3660-18-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3660-29-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3660-31-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5064-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5064-10-0x00000267E6870000-0x00000267E6892000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5064-11-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5064-12-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5064-15-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

          Filesize

          10.8MB

          Download