4363158e608f707a649909d8df602e383c6e921781850cb7af5d4a53271b3c84

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malzero/start.bat
Size

1KB
MD5

ebd649c1c4ac5438015b645f4635e75e
SHA1

a744a3d955ce5ce4645f41b09d0eeec0b0ce0b73
SHA256

baa690c9afef5f9c587f148ee31fe00d1a4ca450afbb7ab2f46943f51db9b3b4
SHA512

e8e50fa3348f72660ff36e98d7408a9f01c4632086dc7f0b09e90ebf7d47cbd9fd15b32ea1844ec1343f1e597f3697046b1a1b414e82732a750e4e01ccce70b4

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2192	2240	cmd.exe	29
PID 2240 wrote to memory of 2192	2240	cmd.exe	29
PID 2240 wrote to memory of 2192	2240	cmd.exe	29
PID 2240 wrote to memory of 1676	2240	cmd.exe	30
PID 2240 wrote to memory of 1676	2240	cmd.exe	30
PID 2240 wrote to memory of 1676	2240	cmd.exe	30
PID 2240 wrote to memory of 2204	2240	cmd.exe	31
PID 2240 wrote to memory of 2204	2240	cmd.exe	31
PID 2240 wrote to memory of 2204	2240	cmd.exe	31
PID 2240 wrote to memory of 2644	2240	cmd.exe	32
PID 2240 wrote to memory of 2644	2240	cmd.exe	32
PID 2240 wrote to memory of 2644	2240	cmd.exe	32
PID 2240 wrote to memory of 2660	2240	cmd.exe	34
PID 2240 wrote to memory of 2660	2240	cmd.exe	34
PID 2240 wrote to memory of 2660	2240	cmd.exe	34
PID 2240 wrote to memory of 2616	2240	cmd.exe	35
PID 2240 wrote to memory of 2616	2240	cmd.exe	35
PID 2240 wrote to memory of 2616	2240	cmd.exe	35
PID 2616 wrote to memory of 2588	2616	cmd.exe	36
PID 2616 wrote to memory of 2588	2616	cmd.exe	36
PID 2616 wrote to memory of 2588	2616	cmd.exe	36
PID 2240 wrote to memory of 2568	2240	cmd.exe	37
PID 2240 wrote to memory of 2568	2240	cmd.exe	37
PID 2240 wrote to memory of 2568	2240	cmd.exe	37
PID 2568 wrote to memory of 2592	2568	cmd.exe	39
PID 2568 wrote to memory of 2592	2568	cmd.exe	39
PID 2568 wrote to memory of 2592	2568	cmd.exe	39
PID 2568 wrote to memory of 2280	2568	cmd.exe	40
PID 2568 wrote to memory of 2280	2568	cmd.exe	40
PID 2568 wrote to memory of 2280	2568	cmd.exe	40
PID 2568 wrote to memory of 2560	2568	cmd.exe	41
PID 2568 wrote to memory of 2560	2568	cmd.exe	41
PID 2568 wrote to memory of 2560	2568	cmd.exe	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\malzero\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\reg.exe
  REG.EXE QUERY "HKCU\Console" -v QuickEdit
  2⤵
  PID:2192
- C:\Windows\System32\reg.exe
  REG.EXE IMPORT REPAIR\CMD_QUICKEDIT_DISABLE.REG
  2⤵
  PID:1676
- C:\Windows\System32\wbem\WMIC.exe
  WMIC.EXE OS GET CAPTION /VALUE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\find.exe
  FIND.EXE "Windows 11"
  2⤵
  PID:2644
- C:\Windows\System32\chcp.com
  CHCP.COM
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CHCP.COM 2>Nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\chcp.com
    CHCP.COM
    3⤵
    PID:2588
- C:\Windows\System32\cmd.exe
  CMD.EXE /D /C "#.BAT GLOBAL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\System32\mode.com
    MODE.COM CON COLS=98 LINES=30
    3⤵
    PID:2592
- - C:\Windows\System32\reg.exe
    REG.EXE IMPORT REPAIR\CMD_QUICKEDIT_ENABLE.REG
    3⤵
    PID:2280
- - C:\Windows\System32\chcp.com
    CHCP.COM 949
    3⤵
    PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CMDQUICKEDITDISABLE

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\malzero\variable\1198831629327211220413915151014280.v

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\malzero\variable\320124906243036712291262440018629.v

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads