aa8c2dff4595b979ac6c1212a57698cc08f95baec446d9027a4c416369f2c78a

Analysis

max time kernel
111s
max time network
8s
platform
windows11-21h2_x64
resource
win11-20231129-en
resource tags

arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
submitted
12/12/2023, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

240_fps_z7Joel.bat
Size

60KB
MD5

17dfd532337e55e070ddc5ab2b248d11
SHA1

77cab6a88c91867a4ea622b6864eb60de77cd8f3
SHA256

aa8c2dff4595b979ac6c1212a57698cc08f95baec446d9027a4c416369f2c78a
SHA512

b214f537f93e581d3f3435381d78488ec084d56d7deea55ce870bbde10a5a95284cd782875bbf5a7aed2dd9500e2cbd088fd66a58395e97cb09e50c7e8054d66
SSDEEP

768:FPC3pXa4tht1MF+Vw8tTnvl09oW/dvfQu98KBDtUh:FPC3Q4tht1MF+VPTntui

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\System32\S	cmd.exe
File created	C:\Windows\System32\R	cmd.exe
File created	C:\Windows\System32\u	cmd.exe
File created	C:\Windows\System32\e	cmd.exe
File created	C:\Windows\System32\r	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\ S	cmd.exe
File created	C:\Windows\System32\V	cmd.exe
File created	C:\Windows\System32\ T	cmd.exe
File created	C:\Windows\System32\a	cmd.exe
File created	C:\Windows\System32\n	cmd.exe
File created	C:\Windows\System32\w	cmd.exe
File created	C:\Windows\System32\y	cmd.exe
File created	C:\Windows\System32\c	cmd.exe
File created	C:\Windows\System32\ 2	cmd.exe
File created	C:\Windows\System32\ B	cmd.exe
File created	C:\Windows\System32\ [	cmd.exe
File created	C:\Windows\System32\t	cmd.exe
File created	C:\Windows\System32\I	cmd.exe
File created	C:\Windows\System32\C	cmd.exe
File created	C:\Windows\System32\E	cmd.exe
File created	C:\Windows\System32\ 1	cmd.exe
File created	C:\Windows\System32\ s	cmd.exe
File created	C:\Windows\System32\ D	cmd.exe
File created	C:\Windows\System32\O	cmd.exe
File created	C:\Windows\System32\h	cmd.exe
File created	C:\Windows\System32\==============================================================================	cmd.exe
File created	C:\Windows\System32\D	cmd.exe
File created	C:\Windows\System32\ ]	cmd.exe
File created	C:\Windows\System32\k	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 4032	484	cmd.exe	79
PID 484 wrote to memory of 4032	484	cmd.exe	79
PID 484 wrote to memory of 2664	484	cmd.exe	80
PID 484 wrote to memory of 2664	484	cmd.exe	80
PID 484 wrote to memory of 1008	484	cmd.exe	81
PID 484 wrote to memory of 1008	484	cmd.exe	81
PID 484 wrote to memory of 2328	484	cmd.exe	82
PID 484 wrote to memory of 2328	484	cmd.exe	82
PID 484 wrote to memory of 4600	484	cmd.exe	83
PID 484 wrote to memory of 4600	484	cmd.exe	83
PID 484 wrote to memory of 4124	484	cmd.exe	85
PID 484 wrote to memory of 4124	484	cmd.exe	85
PID 484 wrote to memory of 4568	484	cmd.exe	84
PID 484 wrote to memory of 4568	484	cmd.exe	84
PID 484 wrote to memory of 4176	484	cmd.exe	86
PID 484 wrote to memory of 4176	484	cmd.exe	86
PID 484 wrote to memory of 4320	484	cmd.exe	87
PID 484 wrote to memory of 4320	484	cmd.exe	87
PID 484 wrote to memory of 4880	484	cmd.exe	88
PID 484 wrote to memory of 4880	484	cmd.exe	88
PID 484 wrote to memory of 2916	484	cmd.exe	89
PID 484 wrote to memory of 2916	484	cmd.exe	89
PID 484 wrote to memory of 4660	484	cmd.exe	90
PID 484 wrote to memory of 4660	484	cmd.exe	90
PID 484 wrote to memory of 700	484	cmd.exe	91
PID 484 wrote to memory of 700	484	cmd.exe	91
PID 484 wrote to memory of 4736	484	cmd.exe	92
PID 484 wrote to memory of 4736	484	cmd.exe	92
PID 484 wrote to memory of 4508	484	cmd.exe	93
PID 484 wrote to memory of 4508	484	cmd.exe	93
PID 484 wrote to memory of 4988	484	cmd.exe	94
PID 484 wrote to memory of 4988	484	cmd.exe	94
PID 484 wrote to memory of 5080	484	cmd.exe	95
PID 484 wrote to memory of 5080	484	cmd.exe	95
PID 484 wrote to memory of 1572	484	cmd.exe	96
PID 484 wrote to memory of 1572	484	cmd.exe	96
PID 484 wrote to memory of 900	484	cmd.exe	97
PID 484 wrote to memory of 900	484	cmd.exe	97
PID 484 wrote to memory of 4976	484	cmd.exe	98
PID 484 wrote to memory of 4976	484	cmd.exe	98
PID 484 wrote to memory of 4148	484	cmd.exe	99
PID 484 wrote to memory of 4148	484	cmd.exe	99
PID 484 wrote to memory of 4928	484	cmd.exe	100
PID 484 wrote to memory of 4928	484	cmd.exe	100
PID 484 wrote to memory of 2752	484	cmd.exe	101
PID 484 wrote to memory of 2752	484	cmd.exe	101
PID 484 wrote to memory of 3772	484	cmd.exe	102
PID 484 wrote to memory of 3772	484	cmd.exe	102
PID 484 wrote to memory of 1644	484	cmd.exe	103
PID 484 wrote to memory of 1644	484	cmd.exe	103
PID 484 wrote to memory of 744	484	cmd.exe	104
PID 484 wrote to memory of 744	484	cmd.exe	104
PID 484 wrote to memory of 2780	484	cmd.exe	105
PID 484 wrote to memory of 2780	484	cmd.exe	105
PID 484 wrote to memory of 2516	484	cmd.exe	106
PID 484 wrote to memory of 2516	484	cmd.exe	106
PID 484 wrote to memory of 2440	484	cmd.exe	107
PID 484 wrote to memory of 2440	484	cmd.exe	107
PID 484 wrote to memory of 1916	484	cmd.exe	108
PID 484 wrote to memory of 1916	484	cmd.exe	108
PID 484 wrote to memory of 3272	484	cmd.exe	109
PID 484 wrote to memory of 3272	484	cmd.exe	109
PID 484 wrote to memory of 2524	484	cmd.exe	110
PID 484 wrote to memory of 2524	484	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\240_fps_z7Joel.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\system32\mode.com
  mode 128,33
  2⤵
  PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:2664
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:1008
- C:\Windows\System32\mode.com
  mode 78, 20
  2⤵
  PID:2328
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " B" nul
  2⤵
  PID:4600
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " T" nul
  2⤵
  PID:4568
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "y" nul
  2⤵
  PID:4124
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "u" nul
  2⤵
  PID:4176
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "c" nul
  2⤵
  PID:4320
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "h" nul
  2⤵
  PID:4880
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "a" nul
  2⤵
  PID:2916
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "n" nul
  2⤵
  PID:4660
- C:\Windows\System32\findstr.exe
  findstr /v /a:cc /R "^$" "==============================================================================" nul
  2⤵
  PID:700
- C:\Windows\System32\findstr.exe
  findstr /v /a:0 /R "^$" " [" nul
  2⤵
  PID:4736
- C:\Windows\System32\findstr.exe
  findstr /v /a:4 /R "^$" " 1" nul
  2⤵
  PID:4508
- C:\Windows\System32\findstr.exe
  findstr /v /a:0 /R "^$" " ]" nul
  2⤵
  PID:4988
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " T" nul
  2⤵
  PID:5080
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "w" nul
  2⤵
  PID:1572
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "e" nul
  2⤵
  PID:900
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "a" nul
  2⤵
  PID:4976
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "k" nul
  2⤵
  PID:4148
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " s" nul
  2⤵
  PID:4928
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "t" nul
  2⤵
  PID:2752
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "a" nul
  2⤵
  PID:3772
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "r" nul
  2⤵
  PID:1644
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "t" nul
  2⤵
  PID:744
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "e" nul
  2⤵
  PID:2780
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "n" nul
  2⤵
  PID:2516
- C:\Windows\System32\findstr.exe
  findstr /v /a:0 /R "^$" " [" nul
  2⤵
  PID:2440
- C:\Windows\System32\findstr.exe
  findstr /v /a:4 /R "^$" " 2" nul
  2⤵
  PID:1916
- C:\Windows\System32\findstr.exe
  findstr /v /a:0 /R "^$" " ]" nul
  2⤵
  PID:3272
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " D" nul
  2⤵
  PID:2524
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "I" nul
  2⤵
  PID:2416
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "S" nul
  2⤵
  PID:3592
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "C" nul
  2⤵
  PID:4128
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "O" nul
  2⤵
  PID:1960
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "R" nul
  2⤵
  PID:2832
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "D" nul
  2⤵
  PID:1468
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" " S" nul
  2⤵
  PID:3160
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "E" nul
  2⤵
  PID:436
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "R" nul
  2⤵
  PID:1280
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "V" nul
  2⤵
  PID:1232
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "E" nul
  2⤵
  PID:5100
- C:\Windows\System32\findstr.exe
  findstr /v /a:c /R "^$" "R" nul
  2⤵
  PID:3208
- C:\Windows\System32\findstr.exe
  findstr /v /a:cc /R "^$" "==============================================================================" nul
  2⤵
  PID:4220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ B

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads