Overview

overview

1

Static

static

1

bat.bat

windows7-x64

1

bat.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    23/09/2023, 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bat.bat

  • Size

    77KB

  • MD5

    466a311205b514581aa61ce02ead19a4

  • SHA1

    aeb2acb70b4a82bd6de876aba272158706ae021c

  • SHA256

    50f9ea4f06de30d775c8315587f0bce404a6946a67b2d8a5a2cdc61279880dff

  • SHA512

    83e59aab5ffd7b8e9cefe00ff6a2e0e235d502316088efc063477fa06f765ef376c11ac311193fa88472d91e3fa378a97476f8656c7ad7fdcb08a35c0001bb1f

  • SSDEEP

    384:/qmB+m9dm9hm9rm99m93ml5mlomlumlSmlcmlsmlkmllmlZmjDmlfmn7mlJmlTm6:HjcIm8KcBn7Vl9oemQes2kfbx

Score
1/10

Malware Config

Signatures

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\system32\certutil.exe
      certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.enc"
      2⤵
        PID:2704
      • C:\Windows\system32\certutil.exe
        certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt" "C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.enc"
        2⤵
          PID:2076
        • C:\Windows\system32\certutil.exe
          certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4A87.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4A87.txt.enc"
          2⤵
            PID:3048
          • C:\Windows\system32\certutil.exe
            certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4ADF.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4ADF.txt.enc"
            2⤵
              PID:2628
            • C:\Windows\system32\certutil.exe
              certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4A87.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4A87.txt.enc"
              2⤵
                PID:2664
              • C:\Windows\system32\certutil.exe
                certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4ADF.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4ADF.txt.enc"
                2⤵
                  PID:2732
                • C:\Windows\system32\certutil.exe
                  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230831_233835_144.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230831_233835_144.txt.enc"
                  2⤵
                    PID:2744
                  • C:\Windows\system32\certutil.exe
                    certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230831_233836_485.txt" "C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20230831_233836_485.txt.enc"
                    2⤵
                      PID:2772
                    • C:\Windows\system32\certutil.exe
                      certutil -encode "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt" "C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.enc"
                      2⤵
                        PID:2736
                      • C:\Windows\system32\certutil.exe
                        certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230831_233818857-MSI_netfx_Full_x64.msi.txt" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230831_233818857-MSI_netfx_Full_x64.msi.txt.enc"
                        2⤵
                          PID:2676
                        • C:\Windows\system32\attrib.exe
                          attrib +h C:\Users\Admin\AppData\Local\Temp\bat.bat
                          2⤵
                          • Views/modifies file attributes
                          PID:2476
                        • C:\Windows\system32\format.com
                          format C: /Q /y
                          2⤵
                            PID:2756
                          • C:\Windows\system32\mode.com
                            mode con cols=107 lines=41
                            2⤵
                              PID:2528
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im explorer.exe
                              2⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3052
                            • C:\Windows\system32\ipconfig.exe
                              ipconfig
                              2⤵
                              • Gathers network information
                              PID:2568
                            • C:\Windows\system32\findstr.exe
                              findstr IPv4
                              2⤵
                                PID:2788
                              • C:\Windows\system32\mode.com
                                mode con cols=107 lines=41
                                2⤵
                                  PID:2980
                                • C:\Windows\system32\ipconfig.exe
                                  ipconfig
                                  2⤵
                                  • Gathers network information
                                  PID:2792
                                • C:\Windows\system32\findstr.exe
                                  findstr IPv4
                                  2⤵
                                    PID:2372

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads