4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 06:22

Target

Files/Apps/fastfetch.bat
Size

375B
MD5

ee8a03fcbbfb22f1d163049207579c43
SHA1

8d5f8aedc16d9840e71217bc65d3a6b49416c73a
SHA256

b47a0737e02f77f70b6686f9c8de6f669586ed4e13d4f6d985d7097207601209
SHA512

9cbeede49c420fee887513f285a3c4b4e358b180a4f544366dc6cc624dd59f707a6f4f1fb5dd1b149def44b9b9c3659ed73046a38258575c91fc8cf1ca6eb187

Score

6^/10

execution

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2804 powershell.exe
2744 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2664 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2804 powershell.exe
2744 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2804 powershell.exe
Token: SeDebugPrivilege 2744 powershell.exe

pid	process
2804	powershell.exe
2744	powershell.exe

pid	process
2664	timeout.exe

pid	process
2804	powershell.exe
2744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2260 wrote to memory of 2800	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2800	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2800	2260	cmd.exe	cmd.exe
PID 2260 wrote to memory of 2804	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2804	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2804	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2664	2260	cmd.exe	timeout.exe
PID 2260 wrote to memory of 2664	2260	cmd.exe	timeout.exe
PID 2260 wrote to memory of 2664	2260	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\fastfetch.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "iwr -useb get.scoop.sh | iex"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2664

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIYT49OVOUTPAPO2LM0L.temp

Filesize
7KB

MD5
cbc43218d0808112b8f6af14ed97366d

SHA1
b591a548ee253c7ba2cdd9d53f9a6566faa953e0

SHA256
810a4190f7ba03aba6f79689448ee5397d3c259c0bf1e971a31d63b225299bbb

SHA512
45d20165eb2c295f847a5d0e6773f218bdef7c66c932521204bc48e243dae30f91ba84504051b8197a90ea0c8770baaa7a8beedd5241105a731e1da0bbd0638d

Download Submit
memory/2744-19-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2744-18-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

Filesize
4KB

Download
memory/2804-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2804-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2804-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-10-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-12-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download