a3d66398045b5d0e1af48194f591bfb0cd2a2b51ddf2fbd93def502c6a0d989b

Analysis

max time kernel
1562s
max time network
1563s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/Install_Auto.bat
Size

481B
MD5

4a2fc5b639477dd1c96cd75e09638a57
SHA1

f9bf0cd572a26b0f3cb150952f28dee107699b87
SHA256

50159f10ba5ff9bd70a553acd689f26bd980555c2d9cdb68f42b5f3d3b7fd351
SHA512

8bf2924c22645931f270b4ef7d41897cdbb9eb8df26f6d9e973acd7be6a2739bb9ac061124fe8bc3b9cfe7910e86c9b99545fda24b80f6f5b4b3c943e7662e0f

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1948 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1948 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1948 powershell.exe

pid	process
1948	powershell.exe

pid	process
1948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2936 wrote to memory of 1948	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 1948	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 1948	2936	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\Install_Auto.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "&{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12}; """"& { $((Invoke-WebRequest -UseBasicParsing 'https://raw.githubusercontent.com/amd64fox/SpotX/main/Install.ps1').Content)} -confirm_uninstall_ms_spoti -confirm_spoti_recomended_over -podcasts_off -block_update_on -start_spoti -new_theme -adsections_off -lyrics_stat spotify """" | Invoke-Expression"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-4-0x000007FEF5CBE000-0x000007FEF5CBF000-memory.dmp

Filesize
4KB

Download
memory/1948-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1948-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1948-7-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-8-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-9-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-10-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-11-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download