0e8657a0f4190488c0bf126ad61abd4fe5da9d7e212f46a2b1224e1f0321a771

Analysis

max time kernel
20s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3433ab5ef474a7731205a298fb9a9e6a9c4c2f9aac27e8061dd1ce3f081069f7.bat
Size

2KB
MD5

1dff73ac05f8be33adfbffa0cc201368
SHA1

0380d253fade986bdded22015559fc5de9726063
SHA256

3433ab5ef474a7731205a298fb9a9e6a9c4c2f9aac27e8061dd1ce3f081069f7
SHA512

f095e41386e926c969bf18eab4eb53cdffb223c824af9fced734177120583a36007a18d6257940a0f97fd9886d4c5b79915f53c0f33d41e49c6ed6a45f23a641

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2296	icacls.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1812	timeout.exe
4140	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4616	taskkill.exe
728	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4616	4496	cmd.exe	86
PID 4496 wrote to memory of 4616	4496	cmd.exe	86
PID 4496 wrote to memory of 728	4496	cmd.exe	87
PID 4496 wrote to memory of 728	4496	cmd.exe	87
PID 4496 wrote to memory of 2192	4496	cmd.exe	88
PID 4496 wrote to memory of 2192	4496	cmd.exe	88
PID 4496 wrote to memory of 1812	4496	cmd.exe	89
PID 4496 wrote to memory of 1812	4496	cmd.exe	89
PID 4496 wrote to memory of 4140	4496	cmd.exe	90
PID 4496 wrote to memory of 4140	4496	cmd.exe	90
PID 4496 wrote to memory of 4672	4496	cmd.exe	91
PID 4496 wrote to memory of 4672	4496	cmd.exe	91
PID 4496 wrote to memory of 4692	4496	cmd.exe	92
PID 4496 wrote to memory of 4692	4496	cmd.exe	92
PID 4496 wrote to memory of 2296	4496	cmd.exe	93
PID 4496 wrote to memory of 2296	4496	cmd.exe	93

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2192	attrib.exe
4672	attrib.exe
4692	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3433ab5ef474a7731205a298fb9a9e6a9c4c2f9aac27e8061dd1ce3f081069f7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\taskkill.exe
  TASKKILL /im "icacls.exe" /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\system32\taskkill.exe
  TASKKILL /im "Taskmg.exe" /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\system32\attrib.exe
  attrib -h -r -s "C:\ProgramData\xmrig.cmd"
  2⤵
  - Views/modifies file attributes
  PID:2192
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1812
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4140
- C:\Windows\system32\attrib.exe
  attrib -h -r -s "C:\ProgramData\xmrigg.cmd"
  2⤵
  - Views/modifies file attributes
  PID:4672
- C:\Windows\system32\attrib.exe
  attrib +h +r +s "C:\ProgramData\xmrigg.cmd"
  2⤵
  - Views/modifies file attributes
  PID:4692
- C:\Windows\system32\icacls.exe
  icacls * /t /q /c /reset
  2⤵
  - Modifies file permissions
  PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads