5c168e2017e3fb571acafdcd73bf62f8371faf591417d3f17b509b46c69521ac

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

76KB
MD5

6813fe026e9b60e9a15b462d629365a1
SHA1

ec531fead56ff80dfd45dbb4820d4ac026f4e922
SHA256

5c168e2017e3fb571acafdcd73bf62f8371faf591417d3f17b509b46c69521ac
SHA512

f5605a9cb57e4903998dde2fd74134ff910ac585f4e33bff013b24645647effe44d12d4e39e5f0a8cc6a7c76ec9f1f897ad7cae0c02fe47c2c974696f991148c
SSDEEP

384:JNmB9m9Im9ym9om90m9iml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTmI:g8xPR1LcBn7Vl9oemQes2kL

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.bat	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2752	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2596	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1996	2036	cmd.exe	29
PID 2036 wrote to memory of 1996	2036	cmd.exe	29
PID 2036 wrote to memory of 1996	2036	cmd.exe	29
PID 2036 wrote to memory of 2596	2036	cmd.exe	30
PID 2036 wrote to memory of 2596	2036	cmd.exe	30
PID 2036 wrote to memory of 2596	2036	cmd.exe	30
PID 2036 wrote to memory of 2752	2036	cmd.exe	32
PID 2036 wrote to memory of 2752	2036	cmd.exe	32
PID 2036 wrote to memory of 2752	2036	cmd.exe	32
PID 2036 wrote to memory of 2772	2036	cmd.exe	33
PID 2036 wrote to memory of 2772	2036	cmd.exe	33
PID 2036 wrote to memory of 2772	2036	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\mode.com
  mode con cols=107 lines=41
  2⤵
  PID:1996
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2752
- C:\Windows\system32\findstr.exe
  findstr IPv4
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads