ffc22cde800d6ec68f62945910cb8846e3b8fb03d1875b3e52500720bf1d733d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cycle.bat
Size

14KB
MD5

ca75591b2cc7af869565fccdb1cec346
SHA1

5a35cdce61b5e0f6ab712c60d103bea21c9f3cab
SHA256

ffc22cde800d6ec68f62945910cb8846e3b8fb03d1875b3e52500720bf1d733d
SHA512

4cf4c85eaf7d1e1122ccabb9021545fd3e6a70770c3a468e7248abafac2ed4b352d09b8e899639df7a6e1f0a42f998b86b6b99bc413014614e616652a73a479e
SSDEEP

192:Wq5XXeU9xuOMe7Bic8DPk9Z4qOaj9sqvWQ9IyB:Wq5+Uboqz8DPk9Z4qOaj9sqvWQ9T

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2424	tasklist.exe
2288	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2704	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	2288	tasklist.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2424	2308	cmd.exe	30
PID 2308 wrote to memory of 2424	2308	cmd.exe	30
PID 2308 wrote to memory of 2424	2308	cmd.exe	30
PID 2308 wrote to memory of 2432	2308	cmd.exe	29
PID 2308 wrote to memory of 2432	2308	cmd.exe	29
PID 2308 wrote to memory of 2432	2308	cmd.exe	29
PID 2308 wrote to memory of 2288	2308	cmd.exe	32
PID 2308 wrote to memory of 2288	2308	cmd.exe	32
PID 2308 wrote to memory of 2288	2308	cmd.exe	32
PID 2308 wrote to memory of 2692	2308	cmd.exe	33
PID 2308 wrote to memory of 2692	2308	cmd.exe	33
PID 2308 wrote to memory of 2692	2308	cmd.exe	33
PID 2308 wrote to memory of 2800	2308	cmd.exe	34
PID 2308 wrote to memory of 2800	2308	cmd.exe	34
PID 2308 wrote to memory of 2800	2308	cmd.exe	34
PID 2308 wrote to memory of 2808	2308	cmd.exe	35
PID 2308 wrote to memory of 2808	2308	cmd.exe	35
PID 2308 wrote to memory of 2808	2308	cmd.exe	35
PID 2308 wrote to memory of 2964	2308	cmd.exe	36
PID 2308 wrote to memory of 2964	2308	cmd.exe	36
PID 2308 wrote to memory of 2964	2308	cmd.exe	36
PID 2308 wrote to memory of 2704	2308	cmd.exe	37
PID 2308 wrote to memory of 2704	2308	cmd.exe	37
PID 2308 wrote to memory of 2704	2308	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cycle.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\findstr.exe
  findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  2⤵
  PID:2432
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\system32\findstr.exe
  findstr /I "wrsa.exe"
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c mkdir 29004
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  cmd /c copy /b Manufacturing + Bm + Bosnia + Multi + Pressed 29004\Decision.pif
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  cmd /c copy /b Investment + Vice + High + Prefers + Beam + Infectious + Doc + Tires + Ottawa + Crime + Joseph + Warnings + Layer + Stationery + Interested + Bikes + Affecting + Lyrics + Pleasant + Loss 29004\q
  2⤵
  PID:2964
- C:\Windows\system32\PING.EXE
  ping -n 5 localhost
  2⤵
  - Runs ping.exe
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...