0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba | Triage

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 10:58

Sharing

Report Analysis Logs

General

Target

file.bat
Size

104B
MD5

f153d51505dbb3e9a190aae6a7269a72
SHA1

9d9c99e0142f200c00e8a4dcc65eeecfaa3cc17e
SHA256

19591e0a956e524775f97d628f897883e99a57cb845eab24a1be9a172bd6f458
SHA512

5c30328972573203cdfc65f9f435f7e720c7d45bc073f1971d706a112e780064416418e922b0078c78d4c5c0b798810667a5cf610bbe03472ee4e981eac08dfc

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1944	mgxitt.exe
Token: 35	1944	mgxitt.exe
Token: SeSecurityPrivilege	1944	mgxitt.exe
Token: SeSecurityPrivilege	1944	mgxitt.exe
Token: SeRestorePrivilege	3420	mgxitt.exe
Token: 35	3420	mgxitt.exe
Token: SeSecurityPrivilege	3420	mgxitt.exe
Token: SeSecurityPrivilege	3420	mgxitt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1944	8	cmd.exe	88
PID 8 wrote to memory of 1944	8	cmd.exe	88
PID 8 wrote to memory of 1944	8	cmd.exe	88
PID 8 wrote to memory of 3420	8	cmd.exe	91
PID 8 wrote to memory of 3420	8	cmd.exe	91
PID 8 wrote to memory of 3420	8	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\mgxitt.exe
  mgxitt.exe x oxsbaszf.dll -p123456789
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\mgxitt.exe
  mgxitt.exe x uwaufnjs.dat -p123456789
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads