Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28/11/2023, 07:19
Static task
static1
Behavioral task
behavioral1
Sample
main_obf.bat
Resource
win7-20231023-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
main_obf.bat
Resource
win10v2004-20231127-en
10 signatures
150 seconds
General
-
Target
main_obf.bat
-
Size
3.3MB
-
MD5
b7cdd43c690b6f00668ce8c1675d00d4
-
SHA1
99b96b30be46250658c29d983ffae99840bb9d06
-
SHA256
3b4522e24880a92e0efbff78c221678983c7d994b6bfacce04ceece21f0a60a7
-
SHA512
4aaf2da39127e81533b71bf571f6d7dab9c20a0b3e898448e9443bd89ed4c04c2c7bc3354438b3558310e2909ed8ba15116ff9e5b2ad21b0a938f6fe8618f116
-
SSDEEP
6144:7zrbs20RR7orb8GitYwYN4vkt9oVCTlGMe6pCIPqBkB4slpp0CswOw3XGI19UZua:7FOR7GbVitpU4/VCnCIPZp8zeTgz
Score
1/10
Malware Config
Signatures
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\%PATHEXT:.COM cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2648 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1752 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2152 wrote to memory of 1752 2152 cmd.exe 29 PID 2152 wrote to memory of 1752 2152 cmd.exe 29 PID 2152 wrote to memory of 1752 2152 cmd.exe 29 PID 2152 wrote to memory of 2648 2152 cmd.exe 31 PID 2152 wrote to memory of 2648 2152 cmd.exe 31 PID 2152 wrote to memory of 2648 2152 cmd.exe 31 PID 2152 wrote to memory of 2616 2152 cmd.exe 32 PID 2152 wrote to memory of 2616 2152 cmd.exe 32 PID 2152 wrote to memory of 2616 2152 cmd.exe 32 PID 2152 wrote to memory of 2784 2152 cmd.exe 33 PID 2152 wrote to memory of 2784 2152 cmd.exe 33 PID 2152 wrote to memory of 2784 2152 cmd.exe 33 PID 2152 wrote to memory of 2520 2152 cmd.exe 34 PID 2152 wrote to memory of 2520 2152 cmd.exe 34 PID 2152 wrote to memory of 2520 2152 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\main_obf.bat"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\system32\PING.EXEping -n 2 -w 700 www.google.com2⤵
- Runs ping.exe
PID:2648
-
-
C:\Windows\system32\find.exefind "bytes="2⤵PID:2616
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2784
-
-
C:\Windows\system32\rundll32.exerundll322⤵PID:2520
-