3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28/11/2023, 07:19

Target

main_obf.bat
Size

3.3MB
MD5

b7cdd43c690b6f00668ce8c1675d00d4
SHA1

99b96b30be46250658c29d983ffae99840bb9d06
SHA256

3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7
SHA512

4aaf2da39127e81533b71bf571f6d7dab9c20a0b3e898448e9443bd89ed4c04c2c7bc3354438b3558310e2909ed8ba15116ff9e5b2ad21b0a938f6fe8618f116
SSDEEP

6144:7zrbs20RR7orb8GitYwYN4vkt9oVCTlGMe6pCIPqBkB4slpp0CswOw3XGI19UZua:7FOR7GbVitpU4/VCnCIPZp8zeTgz

Score

1^/10

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\%PATHEXT:.COM	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2648	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1752	2152	cmd.exe	29
PID 2152 wrote to memory of 1752	2152	cmd.exe	29
PID 2152 wrote to memory of 1752	2152	cmd.exe	29
PID 2152 wrote to memory of 2648	2152	cmd.exe	31
PID 2152 wrote to memory of 2648	2152	cmd.exe	31
PID 2152 wrote to memory of 2648	2152	cmd.exe	31
PID 2152 wrote to memory of 2616	2152	cmd.exe	32
PID 2152 wrote to memory of 2616	2152	cmd.exe	32
PID 2152 wrote to memory of 2616	2152	cmd.exe	32
PID 2152 wrote to memory of 2784	2152	cmd.exe	33
PID 2152 wrote to memory of 2784	2152	cmd.exe	33
PID 2152 wrote to memory of 2784	2152	cmd.exe	33
PID 2152 wrote to memory of 2520	2152	cmd.exe	34
PID 2152 wrote to memory of 2520	2152	cmd.exe	34
PID 2152 wrote to memory of 2520	2152	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\main_obf.bat"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2648
- C:\Windows\system32\find.exe
  find "bytes="
  2⤵
  PID:2616
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2784
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:2520

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1752-4-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1752-5-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1752-6-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1752-7-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1752-8-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1752-9-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1752-10-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1752-11-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download