97204d49168280a7c4a832be54bd34be68a52e8746ce3299cba87a0366e19da0

Analysis

max time kernel
81s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kira yoshikagelover.bat
Size

149B
MD5

3c25714082661f8c7df733af6c5d0c8b
SHA1

580d6209eb22f3a096ede54dc2f926c7e26f8814
SHA256

97204d49168280a7c4a832be54bd34be68a52e8746ce3299cba87a0366e19da0
SHA512

f7070a035606e213c4103c07b37d49e506931b97e987ff4f64977f63b12d7086ae764651cde140c5896609a00d5650c52ec62e2fa1ae4b8d952353442370c243

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\ny4hum.exe	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	2440	WerFault.exe	71

Kills process with taskkill 4 IoCs

evasion

pid	Process
4996	taskkill.exe
1316	taskkill.exe
4392	taskkill.exe
2528	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
716	tskill.exe
716	tskill.exe
4360	tskill.exe
4360	tskill.exe
1508	tskill.exe
1508	tskill.exe
3820	tskill.exe
3820	tskill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1316	4904	cmd.exe	94
PID 4904 wrote to memory of 1316	4904	cmd.exe	94
PID 4904 wrote to memory of 716	4904	cmd.exe	95
PID 4904 wrote to memory of 716	4904	cmd.exe	95
PID 4904 wrote to memory of 680	4904	cmd.exe	96
PID 4904 wrote to memory of 680	4904	cmd.exe	96
PID 680 wrote to memory of 1956	680	net.exe	97
PID 680 wrote to memory of 1956	680	net.exe	97
PID 4904 wrote to memory of 4392	4904	cmd.exe	98
PID 4904 wrote to memory of 4392	4904	cmd.exe	98
PID 4904 wrote to memory of 4360	4904	cmd.exe	99
PID 4904 wrote to memory of 4360	4904	cmd.exe	99
PID 4904 wrote to memory of 1900	4904	cmd.exe	100
PID 4904 wrote to memory of 1900	4904	cmd.exe	100
PID 1900 wrote to memory of 2772	1900	net.exe	101
PID 1900 wrote to memory of 2772	1900	net.exe	101
PID 4904 wrote to memory of 2528	4904	cmd.exe	102
PID 4904 wrote to memory of 2528	4904	cmd.exe	102
PID 4904 wrote to memory of 1508	4904	cmd.exe	103
PID 4904 wrote to memory of 1508	4904	cmd.exe	103
PID 4904 wrote to memory of 4344	4904	cmd.exe	104
PID 4904 wrote to memory of 4344	4904	cmd.exe	104
PID 4344 wrote to memory of 4020	4344	net.exe	105
PID 4344 wrote to memory of 4020	4344	net.exe	105
PID 4904 wrote to memory of 4996	4904	cmd.exe	106
PID 4904 wrote to memory of 4996	4904	cmd.exe	106
PID 4904 wrote to memory of 3820	4904	cmd.exe	107
PID 4904 wrote to memory of 3820	4904	cmd.exe	107
PID 4904 wrote to memory of 1700	4904	cmd.exe	108
PID 4904 wrote to memory of 1700	4904	cmd.exe	108
PID 1700 wrote to memory of 2876	1700	net.exe	109
PID 1700 wrote to memory of 2876	1700	net.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kira yoshikagelover.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\taskkill.exe
  taskkill explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1316
- C:\Windows\system32\tskill.exe
  tskill explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Windows\system32\net.exe
  net user /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add
    3⤵
    PID:1956
- C:\Windows\system32\taskkill.exe
  taskkill explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4392
- C:\Windows\system32\tskill.exe
  tskill explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Windows\system32\net.exe
  net user /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add
    3⤵
    PID:2772
- C:\Windows\system32\taskkill.exe
  taskkill explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2528
- C:\Windows\system32\tskill.exe
  tskill explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Windows\system32\net.exe
  net user /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add
    3⤵
    PID:4020
- C:\Windows\system32\taskkill.exe
  taskkill explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4996
- C:\Windows\system32\tskill.exe
  tskill explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Windows\system32\net.exe
  net user /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add
    3⤵
    PID:2876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2440 -ip 2440
1⤵
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2440 -s 1584
1⤵
- Program crash
PID:1520

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads