0e0e79afe18495a52daaf855bca532f0fd31b24e8b14465f916786dde32cb990

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source.bat
Size

41KB
MD5

dedaca339ee3296c08a1442cb3ec611c
SHA1

1aec2b583928abd43393de204d347cc2e3034cca
SHA256

0e0e79afe18495a52daaf855bca532f0fd31b24e8b14465f916786dde32cb990
SHA512

4a8a5dd8e78175d5e4fd94e8a74fca46c88563de04c1c229d23c322b24fe7cb439da05d44680d3612992e8fc604cb862d6d4cd5ff76d5a82b1ccb01e63f6914f
SSDEEP

192:KYWAoLAeXD+GN4Q0P4Q0Bh8uZAlVUE+fX:KY9osA1NQPQP8uZAlVUE+fX

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: 36	2760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: 36	2760	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3324	2148	cmd.exe	84
PID 2148 wrote to memory of 3324	2148	cmd.exe	84
PID 2148 wrote to memory of 3932	2148	cmd.exe	85
PID 2148 wrote to memory of 3932	2148	cmd.exe	85
PID 2148 wrote to memory of 3172	2148	cmd.exe	86
PID 2148 wrote to memory of 3172	2148	cmd.exe	86
PID 2148 wrote to memory of 2760	2148	cmd.exe	87
PID 2148 wrote to memory of 2760	2148	cmd.exe	87
PID 2148 wrote to memory of 2168	2148	cmd.exe	88
PID 2148 wrote to memory of 2168	2148	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\source.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ver "
  2⤵
  PID:3932
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox"
  2⤵
  PID:3172
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get Manufacturer
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\system32\findstr.exe
  findstr /i "VMware"
  2⤵
  PID:2168

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads