Overview

overview

9

Static

static

3

Cleaner1 R...IN.bat

windows7-x64

8

Cleaner1 R...IN.bat

windows10-2004-x64

8

Cleaner2.bat

windows7-x64

7

Cleaner2.bat

windows10-2004-x64

1

Cleaner3.bat

windows7-x64

1

Cleaner3.bat

windows10-2004-x64

1

Cleaner4.bat

windows7-x64

8

Cleaner4.bat

windows10-2004-x64

8

Cleaner5.bat

windows7-x64

7

Cleaner5.bat

windows10-2004-x64

5

Cleaner6.bat

windows7-x64

7

Cleaner6.bat

windows10-2004-x64

7

Cleaner7.bat

windows7-x64

8

Cleaner7.bat

windows10-2004-x64

8

MAC.cmd

windows7-x64

1

MAC.cmd

windows10-2004-x64

1

PH Spoofer.exe

windows7-x64

9

PH Spoofer.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    25s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MAC.cmd

  • Size

    2KB

  • MD5

    9bb3424ce0882c73682a407477af163e

  • SHA1

    c50786f19c4301d186db5fc1b56b8824013f1207

  • SHA256

    9c1cc4852d290f352f4ba6c6eca68a4ffb1fc19a514fbbda644855a7f23c0c61

  • SHA512

    f530673e63f10f684416624f53aeeda6430a552d2d32b776f026e42f34e28b7f9f19bc6c61298dfaf0b5e1c104ad681433997646a277f889c9af2df9cec601ce

Score
1/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MAC.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\system32\mode.com
      mode con: cols=60 lines=8
      2⤵
        PID:1048
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nic where physicaladapter=true get deviceid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2580
        • C:\Windows\system32\findstr.exe
          findstr [0-9]
          3⤵
            PID:2568
        • C:\Windows\system32\reg.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\07
          2⤵
            PID:2696
          • C:\Windows\system32\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\007
            2⤵
              PID:2684
            • C:\Windows\system32\reg.exe
              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007
              2⤵
                PID:2448
              • C:\Windows\system32\reg.exe
                REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d 96AB9D6017BD /f
                2⤵
                  PID:2660
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic nic where physicaladapter=true get deviceid
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2556
                  • C:\Windows\system32\findstr.exe
                    findstr [0-9]
                    3⤵
                      PID:2692
                  • C:\Windows\system32\reg.exe
                    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\07
                    2⤵
                      PID:1936
                    • C:\Windows\system32\reg.exe
                      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\007
                      2⤵
                        PID:2680
                      • C:\Windows\system32\reg.exe
                        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007
                        2⤵
                          PID:2612
                        • C:\Windows\system32\reg.exe
                          REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f
                          2⤵
                            PID:2608
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2488
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
                              3⤵
                                PID:2552
                            • C:\Windows\system32\netsh.exe
                              netsh interface set interface name="Local Area Connection" disable
                              2⤵
                                PID:1948

                            Network

                            MITRE ATT&CK Matrix

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads