Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 02:03

General

  • Target

    Phantom2 - Copy_obf.bat

  • Size

    16.2MB

  • MD5

    bda2645938c8be959860b1636addf5cf

  • SHA1

    d490d062605c3d1dd8936786a7a8b45ea3de7de6

  • SHA256

    ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8

  • SHA512

    adf974710718263917622b56a8c96e0faed3798aca4102fcaf0dc0c16a7ac6d27ca132852fe4f90f4f50b9053033cf7f295a4119dfddf98e08eb9c1117d0fcde

  • SSDEEP

    49152:R106pFHVz+jRObrFKnAEjhZgsCR22zEc8g+oOgsRa9y8NaivevRnQblTJ2lrGM6X:HJktN6JB

Score
4/10

Malware Config

Signatures

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
      2⤵
        PID:2540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\System32\Wbem\WMIC.exe
          "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4336
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
        2⤵
          PID:3444
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
          2⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        158a72355ea99a8bc04d0b6a380cc97c

        SHA1

        750fff9e378ca754a4534371e54624f7e90b796f

        SHA256

        c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c

        SHA512

        0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxbzpgqo.lyb.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat

        Filesize

        186B

        MD5

        f375cca76665b4940a23022a0e8fd7e8

        SHA1

        bb9aeb111e067904c48a2b82b8f5482eaf290b8f

        SHA256

        99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348

        SHA512

        d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022

      • memory/2656-11-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

        Filesize

        8KB

      • memory/2656-12-0x000001F05B510000-0x000001F05B532000-memory.dmp

        Filesize

        136KB

      • memory/2656-22-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

        Filesize

        10.8MB

      • memory/2656-23-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

        Filesize

        10.8MB

      • memory/2656-26-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

        Filesize

        10.8MB

      • memory/3364-49-0x000001C0F84B0000-0x000001C0F84DA000-memory.dmp

        Filesize

        168KB

      • memory/3364-50-0x000001C0F84B0000-0x000001C0F84D4000-memory.dmp

        Filesize

        144KB