ac69ad3250ad752e84c8159f98e9d8d588d96f5f96a777d5223e8be812df0664

Resubmissions

18-10-2023 04:03

231018-emn2escd74 10

17-10-2023 07:05

231017-hwnzkabg22 10

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crack.bat
Size

437B
MD5

a51b437fee4aebf29bd74891aeef687d
SHA1

6a84f5d46864397c7f3af462a560c05b98f0bbf1
SHA256

20d19db72bbef98a070a427d0431bc96bb279a8d6ee9c0e12fd548cbf71741a4
SHA512

0bc34e263639e1cafad7be1acb0502e05098c02ac97303478c85bc7765c2f1ea0e4c5ffa6d459107bc9bcff58c432964523cd83936284e89a01fe9393bbd0ad1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1188 cmd.exe

pid	process
1188	cmd.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2584	taskkill.exe
1756	taskkill.exe
1788	taskkill.exe
2668	taskkill.exe
1684	taskkill.exe
2708	taskkill.exe
2508	taskkill.exe
2604	taskkill.exe
2652	taskkill.exe
1676	taskkill.exe
1652	taskkill.exe
2924	taskkill.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 1756	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1756	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1756	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1788	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1788	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1788	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2604	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2604	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2604	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2668	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2668	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2668	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1676	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1676	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1676	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1652	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2924	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2924	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2924	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1684	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1684	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 1684	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2708	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2708	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2708	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2508	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2508	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2508	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2584	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2584	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 2584	1188	cmd.exe	taskkill.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\crack.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\system32\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads