Overview

overview

10

Static

static

1

main_obf.bat

windows7-x64

1

main_obf.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2023, 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main_obf.bat

  • Size

    3.3MB

  • MD5

    b7cdd43c690b6f00668ce8c1675d00d4

  • SHA1

    99b96b30be46250658c29d983ffae99840bb9d06

  • SHA256

    3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7

  • SHA512

    4aaf2da39127e81533b71bf571f6d7dab9c20a0b3e898448e9443bd89ed4c04c2c7bc3354438b3558310e2909ed8ba15116ff9e5b2ad21b0a938f6fe8618f116

  • SSDEEP

    6144:7zrbs20RR7orb8GitYwYN4vkt9oVCTlGMe6pCIPqBkB4slpp0CswOw3XGI19UZua:7FOR7GbVitpU4/VCnCIPZp8zeTgz

Score
1/10

Malware Config

Signatures

  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\main_obf.bat"
    1⤵
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\system32\PING.EXE
      ping -n 2 -w 700 www.google.com
      2⤵
      • Runs ping.exe
      PID:2648
    • C:\Windows\system32\find.exe
      find "bytes="
      2⤵
        PID:2616
      • C:\Windows\system32\chcp.com
        chcp 65001
        2⤵
          PID:2784
        • C:\Windows\system32\rundll32.exe
          rundll32
          2⤵
            PID:2520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1752-4-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1752-5-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1752-6-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1752-7-0x000000001B360000-0x000000001B642000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1752-8-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1752-9-0x0000000002290000-0x0000000002298000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1752-10-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1752-11-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

          Filesize

          9.6MB

          Download