Analysis Overview
SHA256
ebad20cc8d48bd94efb0d4a01850cc14c9618a1a01b28cb4e88fd889161d2de8
Threat Level: Likely benign
The file Phantom2 - Copy_obf.bat was found to be: Likely benign.
Malicious Activity Summary
Hide Artifacts: Ignore Process Interrupts
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:03
Reported
2024-11-14 02:06
Platform
win7-20241023-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Hide Artifacts: Ignore Process Interrupts
Command and Scripting Interpreter: PowerShell
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\doskey.exe
doskey GRAFTABL=BCDBOOT
C:\Windows\system32\doskey.exe
doskey GRAFTABL=START
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey COMP=SYSTEMINFO
C:\Windows\system32\doskey.exe
doskey CHKNTFS=CONVERT
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey MORE=REM
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\doskey.exe
doskey DIR=TITLE
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey FSUTIL=MOVE
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\doskey.exe
doskey SORT=SCHTASKS
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\system32\doskey.exe
doskey SCHTASKS=ICACLS
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\doskey.exe
doskey GOTO=FTYPE
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\doskey.exe
doskey BCDBOOT=SYSTEMINFO
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey MORE=DATE
C:\Windows\system32\doskey.exe
doskey GPRESULT=ICACLS
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey CHKDSK=SETLOCAL
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\system32\rundll32.exe
rundll32
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\system32\doskey.exe
doskey RMDIR=TYPE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\mshta.exe
mshta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\mshta.exe
mshta
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\mshta.exe
mshta
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\doskey.exe
doskey POPD=MD
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\system32\doskey.exe
doskey VOL=DRIVERQUERY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
Network
Files
C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat
| MD5 | f375cca76665b4940a23022a0e8fd7e8 |
| SHA1 | bb9aeb111e067904c48a2b82b8f5482eaf290b8f |
| SHA256 | 99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348 |
| SHA512 | d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022 |
memory/2388-15-0x000007FEF623E000-0x000007FEF623F000-memory.dmp
memory/2388-16-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2388-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2388-18-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp
memory/2388-19-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp
memory/2388-20-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp
memory/2388-21-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d46607893f2ad5bbc69187a8827f86ac |
| SHA1 | a886dc984c2773ec495e2e545db208b9a08470fb |
| SHA256 | 136c507359e5f3af9a8abb7d2f959ad25a419e534720efdc52c6529d98e0f853 |
| SHA512 | ed7621628731ecc58a89a37110e8b0b012b65141627e64feb9ab5944d901a5f0afa77939642404fd4fc4c3d8b69d72a941e8030d1f2629a9d617b80657d9dd2d |
memory/2304-38-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2304-39-0x0000000002340000-0x0000000002348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat
| MD5 | 337065424ed27284c55b80741f912713 |
| SHA1 | 0e99e1b388ae66a51a8ffeee3448c3509a694db8 |
| SHA256 | 4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b |
| SHA512 | d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a |
C:\Users\Admin\AppData\Local\Temp\kdotjdyEW.bat
| MD5 | f5a71fdb6b1326188878f569079e6d7b |
| SHA1 | 64536a07da7123953acc29f084560fcabbb1d021 |
| SHA256 | 8be55d45bdd197eea902588aae2b92c6da33257a9b35778c2456883dd8e441f1 |
| SHA512 | 68c01c9ef6169bf56800df80695394959056ed0c3b6382ed9c3f2936082a79baba5c8287990662386f8ce0bd12006bc17cf4a6f9c99c4a92d82ba13faa7cfa8f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:03
Reported
2024-11-14 02:06
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Phantom2 - Copy_obf.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\kdotRfBxts.bat
| MD5 | f375cca76665b4940a23022a0e8fd7e8 |
| SHA1 | bb9aeb111e067904c48a2b82b8f5482eaf290b8f |
| SHA256 | 99c7b4b4733744862f445ea9a4737abef02aff1d5d9ad5cafdbd1a9965b21348 |
| SHA512 | d76d78abdc2931083dce35471c4a23cbd88f47bbb4e5f69975e921de4cb0f64f1ff16c2fe4261407ce3ef6b7caa5fb5382841360bfb4827651be43816950c022 |
memory/2656-11-0x00007FFC04313000-0x00007FFC04315000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxbzpgqo.lyb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2656-12-0x000001F05B510000-0x000001F05B532000-memory.dmp
memory/2656-22-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp
memory/2656-23-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp
memory/2656-26-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 158a72355ea99a8bc04d0b6a380cc97c |
| SHA1 | 750fff9e378ca754a4534371e54624f7e90b796f |
| SHA256 | c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c |
| SHA512 | 0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545 |
memory/3364-49-0x000001C0F84B0000-0x000001C0F84DA000-memory.dmp
memory/3364-50-0x000001C0F84B0000-0x000001C0F84D4000-memory.dmp