Analysis
-
max time kernel
1s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 09:08
Static task
static1
Behavioral task
behavioral1
Sample
KernelOS21H2 (2).bat
Resource
win7-20230220-en
windows7-x64
5 signatures
300 seconds
Behavioral task
behavioral2
Sample
KernelOS21H2 (2).bat
Resource
win10v2004-20230220-en
windows10-2004-x64
19 signatures
300 seconds
General
-
Target
KernelOS21H2 (2).bat
-
Size
38KB
-
MD5
b2c39c94a67e89dc4a633889f0575650
-
SHA1
e8dc50ebfb34dfef62a83b328e4e5f61e6bc3a49
-
SHA256
892043f3b79d937ac74943bee419135aaf64370b627313c4efd0919bcdbace62
-
SHA512
7222655c44c39101c863ca95d862072abcd3c0eb28944301bb8c256f25bdb103d841df63f7af9d473656e8fa22985ba7fb9f80870abae55bf7a24ac5bba4799f
-
SSDEEP
768:+TOLfw09oGDbfrdAUY5eCNldf2BWt9vOjfEv+/ZcbXmB9ofdfv3h8f+q1wqk:iku
Score
1/10
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1748 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1592 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1752 powershell.exe 1752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 1752 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 1920 wrote to memory of 2024 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2024 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 2024 1920 cmd.exe cmd.exe PID 2024 wrote to memory of 1512 2024 cmd.exe chcp.com PID 2024 wrote to memory of 1512 2024 cmd.exe chcp.com PID 2024 wrote to memory of 1512 2024 cmd.exe chcp.com PID 1920 wrote to memory of 1520 1920 cmd.exe chcp.com PID 1920 wrote to memory of 1520 1920 cmd.exe chcp.com PID 1920 wrote to memory of 1520 1920 cmd.exe chcp.com PID 1920 wrote to memory of 1380 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 1380 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 1380 1920 cmd.exe cmd.exe PID 1380 wrote to memory of 1592 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1592 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1592 1380 cmd.exe taskkill.exe PID 1380 wrote to memory of 1752 1380 cmd.exe powershell.exe PID 1380 wrote to memory of 1752 1380 cmd.exe powershell.exe PID 1380 wrote to memory of 1752 1380 cmd.exe powershell.exe PID 1380 wrote to memory of 1748 1380 cmd.exe timeout.exe PID 1380 wrote to memory of 1748 1380 cmd.exe timeout.exe PID 1380 wrote to memory of 1748 1380 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp3⤵
-
C:\Windows\system32\chcp.comchcp 7082⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1752-58-0x000000001B190000-0x000000001B472000-memory.dmpFilesize
2.9MB
-
memory/1752-59-0x00000000022F0000-0x00000000022F8000-memory.dmpFilesize
32KB
-
memory/1752-60-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/1752-61-0x00000000028AB000-0x00000000028E2000-memory.dmpFilesize
220KB