4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 06:22

Target

Files/Apps/git.bat
Size

634B
MD5

b038cfe94c61d0c4fafd3980c02b7ee5
SHA1

51a5a125614a2aab749db78d1c1541a496b2d146
SHA256

0c3002057247aaf88ae0d16f34021f5e9dc78a6da49f26e3e163089f7e912f85
SHA512

02ee574a0bc3a36798a3a1729a16cfaaccec3c65fe54317680b2553b83ec316a927baeb4447d308366da49168dcbd44043ee6195424ac50feed546d995b83c67

Score

8^/10

execution

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1156 powershell.exe
2696 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2680 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1156 powershell.exe
2696 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1156 powershell.exe
Token: SeDebugPrivilege 2696 powershell.exe

pid	process
1156	powershell.exe
2696	powershell.exe

pid	process
2680	timeout.exe

pid	process
1156	powershell.exe
2696	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 2448	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 2448	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 2448	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 2468	1172	cmd.exe	fltMC.exe
PID 1172 wrote to memory of 2468	1172	cmd.exe	fltMC.exe
PID 1172 wrote to memory of 2468	1172	cmd.exe	fltMC.exe
PID 1172 wrote to memory of 1156	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 1156	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 1156	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2696	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2696	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2696	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2680	1172	cmd.exe	timeout.exe
PID 1172 wrote to memory of 2680	1172	cmd.exe	timeout.exe
PID 1172 wrote to memory of 2680	1172	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\git.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2448
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest -Uri https://github.com/git-for-windows/git/releases/download/v2.41.0.windows.1/Git-2.41.0-64-bit.exe -OutFile $env:USERPROFILE\Downloads\Git-2.41.0-64-bit.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Start-Process -FilePath "$env:USERPROFILE\Downloads\Git-2.41.0-64-bit.exe" -ArgumentList "/SILENT" -NoNewWindow -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2680

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c969df2718145e6bf401a18b2b93fc6f

SHA1
82480e38f7d5ddc17175468d7ac73052d15e6ca4

SHA256
bfe3c2e1b23661c3bd88daead2fedf730e428c0adc372efd4289b60a6935c908

SHA512
5d57a52d3d98c927c2c5c8f2d3be57d42392ad5ca95e4a721ed322a3ccbcc726bff2b67083925f5caf5bcbb8a8103bd79117d8de0156f2702222412fd680f134

Download Submit
memory/1156-4-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

Filesize
4KB

Download
memory/1156-6-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1156-7-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1156-8-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-9-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-10-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-11-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/1156-12-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-18-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2696-19-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download