Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
Cycle.bat
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Cycle.bat
Resource
win10v2004-20231222-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
Cycle.bat
-
Size
14KB
-
MD5
ca75591b2cc7af869565fccdb1cec346
-
SHA1
5a35cdce61b5e0f6ab712c60d103bea21c9f3cab
-
SHA256
ffc22cde800d6ec68f62945910cb8846e3b8fb03d1875b3e52500720bf1d733d
-
SHA512
4cf4c85eaf7d1e1122ccabb9021545fd3e6a70770c3a468e7248abafac2ed4b352d09b8e899639df7a6e1f0a42f998b86b6b99bc413014614e616652a73a479e
-
SSDEEP
192:Wq5XXeU9xuOMe7Bic8DPk9Z4qOaj9sqvWQ9IyB:Wq5+Uboqz8DPk9Z4qOaj9sqvWQ9T
Score
1/10
Malware Config
Signatures
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1908 tasklist.exe 4680 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4696 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4680 tasklist.exe Token: SeDebugPrivilege 1908 tasklist.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4736 wrote to memory of 4680 4736 cmd.exe 89 PID 4736 wrote to memory of 4680 4736 cmd.exe 89 PID 4736 wrote to memory of 2636 4736 cmd.exe 90 PID 4736 wrote to memory of 2636 4736 cmd.exe 90 PID 4736 wrote to memory of 1908 4736 cmd.exe 93 PID 4736 wrote to memory of 1908 4736 cmd.exe 93 PID 4736 wrote to memory of 4140 4736 cmd.exe 92 PID 4736 wrote to memory of 4140 4736 cmd.exe 92 PID 4736 wrote to memory of 4740 4736 cmd.exe 96 PID 4736 wrote to memory of 4740 4736 cmd.exe 96 PID 4736 wrote to memory of 4744 4736 cmd.exe 95 PID 4736 wrote to memory of 4744 4736 cmd.exe 95 PID 4736 wrote to memory of 3452 4736 cmd.exe 94 PID 4736 wrote to memory of 3452 4736 cmd.exe 94 PID 4736 wrote to memory of 4696 4736 cmd.exe 102 PID 4736 wrote to memory of 4696 4736 cmd.exe 102
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cycle.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\system32\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"2⤵PID:2636
-
-
C:\Windows\system32\findstr.exefindstr /I "wrsa.exe"2⤵PID:4140
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\system32\cmd.execmd /c copy /b Investment + Vice + High + Prefers + Beam + Infectious + Doc + Tires + Ottawa + Crime + Joseph + Warnings + Layer + Stationery + Interested + Bikes + Affecting + Lyrics + Pleasant + Loss 29010\q2⤵PID:3452
-
-
C:\Windows\system32\cmd.execmd /c copy /b Manufacturing + Bm + Bosnia + Multi + Pressed 29010\Decision.pif2⤵PID:4744
-
-
C:\Windows\system32\cmd.execmd /c mkdir 290102⤵PID:4740
-
-
C:\Windows\system32\PING.EXEping -n 5 localhost2⤵
- Runs ping.exe
PID:4696
-