dfe88c225ba76e233c2dced11d32b3cf994466692dd8ab85be655907231e8acb

Analysis

max time kernel
165s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GO1.bat
Size

686B
MD5

f12a54ae1b6d9cd13308ae482de0740b
SHA1

e4c724dc0a15b9df9ff5f8ff7791bab09c7b7a52
SHA256

fee8839f9603e47e8da81324c3b35c0966b0b0acb93a7d8962573308abb3be45
SHA512

c877089099680fde6f4793b4cddf93c3f0a43269f2cb42deaab88777b25bccfe39c0fb6667690fd67dd637418df76e15ff0d1ea8e28d300c953967602f95a040

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1792	PING.EXE
1996	PING.EXE
1708	PING.EXE
1552	PING.EXE
1840	PING.EXE
656	PING.EXE
644	PING.EXE
1332	PING.EXE
632	PING.EXE
832	PING.EXE
1728	PING.EXE
976	PING.EXE
1572	PING.EXE
1944	PING.EXE
1544	PING.EXE
1964	PING.EXE
1752	PING.EXE
316	PING.EXE
1204	PING.EXE
1792	PING.EXE
1988	PING.EXE
1236	PING.EXE
1768	PING.EXE
1816	PING.EXE
1492	PING.EXE
1732	PING.EXE
676	PING.EXE
584	PING.EXE
1592	PING.EXE
1940	PING.EXE
1840	PING.EXE
1164	PING.EXE
1520	PING.EXE
544	PING.EXE
1648	PING.EXE
316	PING.EXE
1620	PING.EXE
1796	PING.EXE
1132	PING.EXE
1236	PING.EXE
1928	PING.EXE
1156	PING.EXE
1944	PING.EXE
1552	PING.EXE
1528	PING.EXE
1652	PING.EXE
472	PING.EXE
1036	PING.EXE
1556	PING.EXE
1580	PING.EXE
1720	PING.EXE
1148	PING.EXE
1680	PING.EXE
632	PING.EXE
268	PING.EXE
952	PING.EXE
276	PING.EXE
1376	PING.EXE
1712	PING.EXE
1400	PING.EXE
276	PING.EXE
584	PING.EXE
1540	PING.EXE
2032	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 908	1980	cmd.exe	29
PID 1980 wrote to memory of 908	1980	cmd.exe	29
PID 1980 wrote to memory of 908	1980	cmd.exe	29
PID 1980 wrote to memory of 1528	1980	cmd.exe	30
PID 1980 wrote to memory of 1528	1980	cmd.exe	30
PID 1980 wrote to memory of 1528	1980	cmd.exe	30
PID 1980 wrote to memory of 1792	1980	cmd.exe	31
PID 1980 wrote to memory of 1792	1980	cmd.exe	31
PID 1980 wrote to memory of 1792	1980	cmd.exe	31
PID 1980 wrote to memory of 1204	1980	cmd.exe	32
PID 1980 wrote to memory of 1204	1980	cmd.exe	32
PID 1980 wrote to memory of 1204	1980	cmd.exe	32
PID 1980 wrote to memory of 1292	1980	cmd.exe	33
PID 1980 wrote to memory of 1292	1980	cmd.exe	33
PID 1980 wrote to memory of 1292	1980	cmd.exe	33
PID 1980 wrote to memory of 1520	1980	cmd.exe	34
PID 1980 wrote to memory of 1520	1980	cmd.exe	34
PID 1980 wrote to memory of 1520	1980	cmd.exe	34
PID 1980 wrote to memory of 1372	1980	cmd.exe	35
PID 1980 wrote to memory of 1372	1980	cmd.exe	35
PID 1980 wrote to memory of 1372	1980	cmd.exe	35
PID 1980 wrote to memory of 1940	1980	cmd.exe	36
PID 1980 wrote to memory of 1940	1980	cmd.exe	36
PID 1980 wrote to memory of 1940	1980	cmd.exe	36
PID 1980 wrote to memory of 276	1980	cmd.exe	37
PID 1980 wrote to memory of 276	1980	cmd.exe	37
PID 1980 wrote to memory of 276	1980	cmd.exe	37
PID 1980 wrote to memory of 1652	1980	cmd.exe	38
PID 1980 wrote to memory of 1652	1980	cmd.exe	38
PID 1980 wrote to memory of 1652	1980	cmd.exe	38
PID 1980 wrote to memory of 472	1980	cmd.exe	39
PID 1980 wrote to memory of 472	1980	cmd.exe	39
PID 1980 wrote to memory of 472	1980	cmd.exe	39
PID 1980 wrote to memory of 584	1980	cmd.exe	40
PID 1980 wrote to memory of 584	1980	cmd.exe	40
PID 1980 wrote to memory of 584	1980	cmd.exe	40
PID 1980 wrote to memory of 1996	1980	cmd.exe	41
PID 1980 wrote to memory of 1996	1980	cmd.exe	41
PID 1980 wrote to memory of 1996	1980	cmd.exe	41
PID 1980 wrote to memory of 1036	1980	cmd.exe	42
PID 1980 wrote to memory of 1036	1980	cmd.exe	42
PID 1980 wrote to memory of 1036	1980	cmd.exe	42
PID 1980 wrote to memory of 1556	1980	cmd.exe	43
PID 1980 wrote to memory of 1556	1980	cmd.exe	43
PID 1980 wrote to memory of 1556	1980	cmd.exe	43
PID 1980 wrote to memory of 1700	1980	cmd.exe	44
PID 1980 wrote to memory of 1700	1980	cmd.exe	44
PID 1980 wrote to memory of 1700	1980	cmd.exe	44
PID 1980 wrote to memory of 544	1980	cmd.exe	45
PID 1980 wrote to memory of 544	1980	cmd.exe	45
PID 1980 wrote to memory of 544	1980	cmd.exe	45
PID 1980 wrote to memory of 1708	1980	cmd.exe	46
PID 1980 wrote to memory of 1708	1980	cmd.exe	46
PID 1980 wrote to memory of 1708	1980	cmd.exe	46
PID 1980 wrote to memory of 1376	1980	cmd.exe	47
PID 1980 wrote to memory of 1376	1980	cmd.exe	47
PID 1980 wrote to memory of 1376	1980	cmd.exe	47
PID 1980 wrote to memory of 1616	1980	cmd.exe	48
PID 1980 wrote to memory of 1616	1980	cmd.exe	48
PID 1980 wrote to memory of 1616	1980	cmd.exe	48
PID 1980 wrote to memory of 632	1980	cmd.exe	49
PID 1980 wrote to memory of 632	1980	cmd.exe	49
PID 1980 wrote to memory of 632	1980	cmd.exe	49
PID 1980 wrote to memory of 1792	1980	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GO1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\mode.com
  MODE con: COLS=40 lines=15
  2⤵
  PID:908
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1528
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1792
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1204
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1292
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1520
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1372
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1940
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:276
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1652
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:472
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:584
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1996
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1036
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1556
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1700
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:544
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1708
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1376
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1616
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:632
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1792
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1156
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:644
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1900
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1712
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:832
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1648
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1944
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:268
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1840
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1580
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1588
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1728
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:316
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1744
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1552
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1988
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1620
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:976
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1540
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1720
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1796
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1236
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:2032
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1836
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1164
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1572
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1132
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1944
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1768
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1840
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1580
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1544
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1964
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1816
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1492
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1552
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1312
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1732
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:952
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1400
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:872
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1148
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1236
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:2032
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1752
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1704
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:276
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:676
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1332
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:836
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1928
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:584
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1916
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1680
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1556
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:656
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:316
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:904
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:668
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:1592
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  PID:1620
- C:\Windows\system32\PING.EXE
  ping -n 2 localhost
  2⤵
  - Runs ping.exe
  PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-83-0x0000000000000000-mapping.dmp

Download
memory/276-62-0x0000000000000000-mapping.dmp

Download
memory/316-88-0x0000000000000000-mapping.dmp

Download
memory/472-64-0x0000000000000000-mapping.dmp

Download
memory/544-70-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000000000000-mapping.dmp

Download
memory/632-74-0x0000000000000000-mapping.dmp

Download
memory/644-77-0x0000000000000000-mapping.dmp

Download
memory/832-80-0x0000000000000000-mapping.dmp

Download
memory/872-116-0x0000000000000000-mapping.dmp

Download
memory/908-54-0x0000000000000000-mapping.dmp

Download
memory/952-114-0x0000000000000000-mapping.dmp

Download
memory/976-93-0x0000000000000000-mapping.dmp

Download
memory/1036-67-0x0000000000000000-mapping.dmp

Download
memory/1132-102-0x0000000000000000-mapping.dmp

Download
memory/1148-117-0x0000000000000000-mapping.dmp

Download
memory/1156-76-0x0000000000000000-mapping.dmp

Download
memory/1164-100-0x0000000000000000-mapping.dmp

Download
memory/1204-57-0x0000000000000000-mapping.dmp

Download
memory/1236-97-0x0000000000000000-mapping.dmp

Download
memory/1292-58-0x0000000000000000-mapping.dmp

Download
memory/1312-112-0x0000000000000000-mapping.dmp

Download
memory/1372-60-0x0000000000000000-mapping.dmp

Download
memory/1376-72-0x0000000000000000-mapping.dmp

Download
memory/1400-115-0x0000000000000000-mapping.dmp

Download
memory/1492-110-0x0000000000000000-mapping.dmp

Download
memory/1520-59-0x0000000000000000-mapping.dmp

Download
memory/1528-55-0x0000000000000000-mapping.dmp

Download
memory/1540-94-0x0000000000000000-mapping.dmp

Download
memory/1544-107-0x0000000000000000-mapping.dmp

Download
memory/1552-111-0x0000000000000000-mapping.dmp

Download
memory/1552-90-0x0000000000000000-mapping.dmp

Download
memory/1556-68-0x0000000000000000-mapping.dmp

Download
memory/1572-101-0x0000000000000000-mapping.dmp

Download
memory/1580-106-0x0000000000000000-mapping.dmp

Download
memory/1580-85-0x0000000000000000-mapping.dmp

Download
memory/1588-86-0x0000000000000000-mapping.dmp

Download
memory/1616-73-0x0000000000000000-mapping.dmp

Download
memory/1620-92-0x0000000000000000-mapping.dmp

Download
memory/1648-81-0x0000000000000000-mapping.dmp

Download
memory/1652-63-0x0000000000000000-mapping.dmp

Download
memory/1700-69-0x0000000000000000-mapping.dmp

Download
memory/1708-71-0x0000000000000000-mapping.dmp

Download
memory/1712-79-0x0000000000000000-mapping.dmp

Download
memory/1720-95-0x0000000000000000-mapping.dmp

Download
memory/1728-87-0x0000000000000000-mapping.dmp

Download
memory/1732-113-0x0000000000000000-mapping.dmp

Download
memory/1744-89-0x0000000000000000-mapping.dmp

Download
memory/1768-104-0x0000000000000000-mapping.dmp

Download
memory/1792-56-0x0000000000000000-mapping.dmp

Download
memory/1792-75-0x0000000000000000-mapping.dmp

Download
memory/1796-96-0x0000000000000000-mapping.dmp

Download
memory/1816-109-0x0000000000000000-mapping.dmp

Download
memory/1836-99-0x0000000000000000-mapping.dmp

Download
memory/1840-84-0x0000000000000000-mapping.dmp

Download
memory/1840-105-0x0000000000000000-mapping.dmp

Download
memory/1900-78-0x0000000000000000-mapping.dmp

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download
memory/1944-103-0x0000000000000000-mapping.dmp

Download
memory/1944-82-0x0000000000000000-mapping.dmp

Download
memory/1964-108-0x0000000000000000-mapping.dmp

Download
memory/1988-91-0x0000000000000000-mapping.dmp

Download
memory/1996-66-0x0000000000000000-mapping.dmp

Download
memory/2032-98-0x0000000000000000-mapping.dmp

Download