Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 19:56

General

  • Target

    Cycle.bat

  • Size

    14KB

  • MD5

    ca75591b2cc7af869565fccdb1cec346

  • SHA1

    5a35cdce61b5e0f6ab712c60d103bea21c9f3cab

  • SHA256

    ffc22cde800d6ec68f62945910cb8846e3b8fb03d1875b3e52500720bf1d733d

  • SHA512

    4cf4c85eaf7d1e1122ccabb9021545fd3e6a70770c3a468e7248abafac2ed4b352d09b8e899639df7a6e1f0a42f998b86b6b99bc413014614e616652a73a479e

  • SSDEEP

    192:Wq5XXeU9xuOMe7Bic8DPk9Z4qOaj9sqvWQ9IyB:Wq5+Uboqz8DPk9Z4qOaj9sqvWQ9T

Score
1/10

Malware Config

Signatures

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cycle.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
    • C:\Windows\system32\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2⤵
        PID:2636
      • C:\Windows\system32\findstr.exe
        findstr /I "wrsa.exe"
        2⤵
          PID:4140
        • C:\Windows\system32\tasklist.exe
          tasklist
          2⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1908
        • C:\Windows\system32\cmd.exe
          cmd /c copy /b Investment + Vice + High + Prefers + Beam + Infectious + Doc + Tires + Ottawa + Crime + Joseph + Warnings + Layer + Stationery + Interested + Bikes + Affecting + Lyrics + Pleasant + Loss 29010\q
          2⤵
            PID:3452
          • C:\Windows\system32\cmd.exe
            cmd /c copy /b Manufacturing + Bm + Bosnia + Multi + Pressed 29010\Decision.pif
            2⤵
              PID:4744
            • C:\Windows\system32\cmd.exe
              cmd /c mkdir 29010
              2⤵
                PID:4740
              • C:\Windows\system32\PING.EXE
                ping -n 5 localhost
                2⤵
                • Runs ping.exe
                PID:4696

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads