Overview

overview

1

Static

static

1

test_obf.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    139s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 14:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    test_obf.bat

  • Size

    3.5MB

  • MD5

    c98e84fa96b63345d01725af0def6e37

  • SHA1

    e86262d1d97e6fee6c9e8c88e6dd38aa9f75c568

  • SHA256

    056f799bf0f70f951c87b37f9a293679da031f818248d44afb865a54aece5b65

  • SHA512

    fd759c0292d39835f2a8c42756c87afadb96623c1316de625718f16be51d62598bff7f5df47167a980b086f147927f9414627d2d3094d40369bac0814d886714

  • SSDEEP

    3072:5fJFjqjHzATGQpcfx0fFnxkqYOX5kKRTr4lPtMAseOaXZeGdZBm8b2/S:tre4TGccfCfBxkhokK9r4lFMeRZfJb2q

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
      2⤵
        PID:1188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4516
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
        2⤵
          PID:1256
        • C:\Windows\system32\findstr.exe
          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
          2⤵
            PID:1232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3256
          • C:\Windows\system32\findstr.exe
            findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
            2⤵
              PID:2004
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
              2⤵
                PID:1068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\test_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:988
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\test_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3860
              • C:\Windows\system32\findstr.exe
                findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\test_obf.bat"
                2⤵
                  PID:3828
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  2⤵
                    PID:472
                  • C:\Windows\system32\wscript.exe
                    wscript /b
                    2⤵
                      PID:4904
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\test_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2584
                    • C:\Windows\system32\doskey.exe
                      doskey PROMPT=SC
                      2⤵
                        PID:3864
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1508

                    Network

                          MITRE ATT&CK Matrix

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            6cf293cb4d80be23433eecf74ddb5503

                            SHA1

                            24fe4752df102c2ef492954d6b046cb5512ad408

                            SHA256

                            b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                            SHA512

                            0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            8857491a4a65a9a1d560c4705786a312

                            SHA1

                            4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

                            SHA256

                            b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

                            SHA512

                            d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            1542328a8546914b4e2f1aef9cb42bea

                            SHA1

                            7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                            SHA256

                            7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                            SHA512

                            b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            64B

                            MD5

                            3ca1082427d7b2cd417d7c0b7fd95e4e

                            SHA1

                            b0482ff5b58ffff4f5242d77330b064190f269d3

                            SHA256

                            31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

                            SHA512

                            bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            64B

                            MD5

                            446dd1cf97eaba21cf14d03aebc79f27

                            SHA1

                            36e4cc7367e0c7b40f4a8ace272941ea46373799

                            SHA256

                            a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                            SHA512

                            a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwgjwunf.3gf.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\kdotMejSy.bat
                            Filesize

                            13B

                            MD5

                            337065424ed27284c55b80741f912713

                            SHA1

                            0e99e1b388ae66a51a8ffeee3448c3509a694db8

                            SHA256

                            4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

                            SHA512

                            d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\kdotdIhkPC.bat
                            Filesize

                            175B

                            MD5

                            10ee3728230a5330241a98e4d05d4502

                            SHA1

                            95cb67ec1ec4b2008aa749c5cb9f81558095b8e7

                            SHA256

                            d754f77234c40da62ec171aa4828a90ecf027a77c2d76d9b68503afd6ac43501

                            SHA512

                            c314c9def17c95ab2f8740e879f953a4bcc8e61c0390638c62272d1ca73fac61b358c0f76ed3f29f38e4f8e5690a5481851d2a82a12f7d5b960556d67566e8ec

                            Download Submit

                          • memory/1508-142-0x0000020035C60000-0x0000020035C84000-memory.dmp

                            Filesize

                            144KB

                            Download

                          • memory/1508-141-0x0000020035C60000-0x0000020035C8A000-memory.dmp

                            Filesize

                            168KB

                            Download

                          • memory/3256-64-0x00007FFCA41A0000-0x00007FFCA4C61000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3256-50-0x00007FFCA41A0000-0x00007FFCA4C61000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3256-51-0x000001887BF60000-0x000001887BF70000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3256-52-0x000001887BF60000-0x000001887BF70000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4516-26-0x00007FFCA4020000-0x00007FFCA4AE1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4516-21-0x00007FFCA4020000-0x00007FFCA4AE1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4516-22-0x000001CD760C0000-0x000001CD760D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4516-23-0x000001CD760C0000-0x000001CD760D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4516-11-0x000001CD782B0000-0x000001CD782D2000-memory.dmp

                            Filesize

                            136KB

                            Download