312f60b66fdaa2e684144e9c7738a2203b3653a6cb27355b5c70b65b86a7f3d6

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

button-in-batch-file-main/Example.bat
Size

373B
MD5

4968b79bd8673f11788794e66af14fa6
SHA1

c6645af78b00e111992ea9063dff26dfa1ba8739
SHA256

76cd7f00b6935ac67989e1ec9b9a988c0b2b3a99ba1718454b03ca81c424cfad
SHA512

b307963c928140de46f8459e12ef1b8749e75af9f1b43a35d66e52f948ef26be18cdbf2f15f366de9efc434450a50f8f2230df2463fa647c77affe669f377394

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
3052	batbox.exe
3068	batbox.exe
1696	GetInput.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2296	1980	cmd.exe	29
PID 1980 wrote to memory of 2296	1980	cmd.exe	29
PID 1980 wrote to memory of 2296	1980	cmd.exe	29
PID 1980 wrote to memory of 3052	1980	cmd.exe	30
PID 1980 wrote to memory of 3052	1980	cmd.exe	30
PID 1980 wrote to memory of 3052	1980	cmd.exe	30
PID 1980 wrote to memory of 3052	1980	cmd.exe	30
PID 1980 wrote to memory of 3068	1980	cmd.exe	31
PID 1980 wrote to memory of 3068	1980	cmd.exe	31
PID 1980 wrote to memory of 3068	1980	cmd.exe	31
PID 1980 wrote to memory of 3068	1980	cmd.exe	31
PID 1980 wrote to memory of 1696	1980	cmd.exe	32
PID 1980 wrote to memory of 1696	1980	cmd.exe	32
PID 1980 wrote to memory of 1696	1980	cmd.exe	32
PID 1980 wrote to memory of 1696	1980	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\button-in-batch-file-main\Example.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\mode.com
  Mode 48,18
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\button-in-batch-file-main\batbox.exe
  Batbox /h 0
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\button-in-batch-file-main\batbox.exe
  batbox /g 12 3 /a 218 /g 34 3 /a 191 /g 12 5 /a 192 /g 34 5 /a 217 /g 13 3 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 13 5 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 12 4 /a 179 /g 34 4 /a 179 /g 13 4 /d " Exemplo de botao 1 " /g 12 7 /a 218 /g 34 7 /a 191 /g 12 9 /a 192 /g 34 9 /a 217 /g 13 7 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 13 9 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 12 8 /a 179 /g 34 8 /a 179 /g 13 8 /d " Exemplo de botao 2 " /g 19 11 /a 218 /g 26 11 /a 191 /g 19 13 /a 192 /g 26 13 /a 217 /g 20 11 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 20 13 /a 196 /a 196 /a 196 /a 196 /a 196 /a 196 /g 19 12 /a 179 /g 26 12 /a 179 /g 20 12 /d " Sair "
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\button-in-batch-file-main\GetInput.exe
  Getinput /m 13 4 33 4 13 8 33 8 20 12 25 12 /h 70
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-0-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3052-1-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3068-2-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads