Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
Phantom2 - Copy_obf.bat
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Phantom2 - Copy_obf.bat
Resource
win10v2004-20241007-en
General
-
Target
Phantom2 - Copy_obf.bat
-
Size
16.2MB
-
MD5
bda2645938c8be959860b1636addf5cf
-
SHA1
d490d062605c3d1dd8936786a7a8b45ea3de7de6
-
SHA256
ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8
-
SHA512
adf974710718263917622b56a8c96e0faed3798aca4102fcaf0dc0c16a7ac6d27ca132852fe4f90f4f50b9053033cf7f295a4119dfddf98e08eb9c1117d0fcde
-
SSDEEP
49152:R106pFHVz+jRObrFKnAEjhZgsCR22zEc8g+oOgsRa9y8NaivevRnQblTJ2lrGM6X:HJktN6JB
Malware Config
Signatures
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid Process 2656 powershell.exe 2656 powershell.exe 3364 powershell.exe 3364 powershell.exe 3364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2656 powershell.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeIncreaseQuotaPrivilege 3364 powershell.exe Token: SeSecurityPrivilege 3364 powershell.exe Token: SeTakeOwnershipPrivilege 3364 powershell.exe Token: SeLoadDriverPrivilege 3364 powershell.exe Token: SeSystemProfilePrivilege 3364 powershell.exe Token: SeSystemtimePrivilege 3364 powershell.exe Token: SeProfSingleProcessPrivilege 3364 powershell.exe Token: SeIncBasePriorityPrivilege 3364 powershell.exe Token: SeCreatePagefilePrivilege 3364 powershell.exe Token: SeBackupPrivilege 3364 powershell.exe Token: SeRestorePrivilege 3364 powershell.exe Token: SeShutdownPrivilege 3364 powershell.exe Token: SeDebugPrivilege 3364 powershell.exe Token: SeSystemEnvironmentPrivilege 3364 powershell.exe Token: SeRemoteShutdownPrivilege 3364 powershell.exe Token: SeUndockPrivilege 3364 powershell.exe Token: SeManageVolumePrivilege 3364 powershell.exe Token: 33 3364 powershell.exe Token: 34 3364 powershell.exe Token: 35 3364 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exedescription pid Process procid_target PID 4016 wrote to memory of 2540 4016 cmd.exe 84 PID 4016 wrote to memory of 2540 4016 cmd.exe 84 PID 4016 wrote to memory of 2656 4016 cmd.exe 85 PID 4016 wrote to memory of 2656 4016 cmd.exe 85 PID 2656 wrote to memory of 4336 2656 powershell.exe 87 PID 2656 wrote to memory of 4336 2656 powershell.exe 87 PID 4016 wrote to memory of 3444 4016 cmd.exe 93 PID 4016 wrote to memory of 3444 4016 cmd.exe 93 PID 4016 wrote to memory of 3364 4016 cmd.exe 95 PID 4016 wrote to memory of 3364 4016 cmd.exe 95
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"2⤵PID:3444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5158a72355ea99a8bc04d0b6a380cc97c
SHA1750fff9e378ca754a4534371e54624f7e90b796f
SHA256c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA5120f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
186B
MD5f375cca76665b4940a23022a0e8fd7e8
SHA1bb9aeb111e067904c48a2b82b8f5482eaf290b8f
SHA25699c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348
SHA512d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022