e92d9cf98abe2f1821e4c426d493fe3378661520e6f961e734258338fc5921d4 | Triage

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 19:50

Sharing

Report Analysis Logs

General

Target

notbad.bat
Size

27B
MD5

c729d940eb78e927afcba4046543d8f8
SHA1

3522981616693e8b12ca21a51f07b98a5008a075
SHA256

e92d9cf98abe2f1821e4c426d493fe3378661520e6f961e734258338fc5921d4
SHA512

8aa7d80e1216d0f82a4056f2cf152ec96a74c04e9e6b903dc9614a7a45e1bf2f150db0028b5bc285b0b4222b179c120b08a87d57e9accbed360d8a9cf4e2d642

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

pid	Process
1320	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1320	2156	cmd.exe	29
PID 2156 wrote to memory of 1320	2156	cmd.exe	29
PID 2156 wrote to memory of 1320	2156	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\notbad.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\taskkill.exe
  taskkill /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads