4b06a322f773fecc76acfed68351ec156981293c3a33e68cb0417391789ef768

Analysis

max time kernel
60s
max time network
16s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rat1.bat
Size

557B
MD5

481d06db1eb5bcfb9c42ac2f3a0fd608
SHA1

eff3383e917012c6c6bbab543bf09a73b49c27a5
SHA256

4b06a322f773fecc76acfed68351ec156981293c3a33e68cb0417391789ef768
SHA512

74455c8a0b0ca7d8a6907e9c1caccd3d750f83461dd19dbc5751701e42fdefbb3ec97c5b058604ad388565ae6267680886e7babc1f9afa24e487fdf174ea9fc0

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2712	timeout.exe
2232	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1620	ipconfig.exe
2468	ipconfig.exe

Runs net.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2228	2860	cmd.exe	29
PID 2860 wrote to memory of 2228	2860	cmd.exe	29
PID 2860 wrote to memory of 2228	2860	cmd.exe	29
PID 2228 wrote to memory of 2784	2228	cmd.exe	30
PID 2228 wrote to memory of 2784	2228	cmd.exe	30
PID 2228 wrote to memory of 2784	2228	cmd.exe	30
PID 2784 wrote to memory of 2584	2784	net.exe	31
PID 2784 wrote to memory of 2584	2784	net.exe	31
PID 2784 wrote to memory of 2584	2784	net.exe	31
PID 2860 wrote to memory of 1988	2860	cmd.exe	32
PID 2860 wrote to memory of 1988	2860	cmd.exe	32
PID 2860 wrote to memory of 1988	2860	cmd.exe	32
PID 1988 wrote to memory of 1620	1988	cmd.exe	33
PID 1988 wrote to memory of 1620	1988	cmd.exe	33
PID 1988 wrote to memory of 1620	1988	cmd.exe	33
PID 2860 wrote to memory of 2712	2860	cmd.exe	34
PID 2860 wrote to memory of 2712	2860	cmd.exe	34
PID 2860 wrote to memory of 2712	2860	cmd.exe	34
PID 2860 wrote to memory of 2704	2860	cmd.exe	37
PID 2860 wrote to memory of 2704	2860	cmd.exe	37
PID 2860 wrote to memory of 2704	2860	cmd.exe	37
PID 2704 wrote to memory of 2440	2704	cmd.exe	38
PID 2704 wrote to memory of 2440	2704	cmd.exe	38
PID 2704 wrote to memory of 2440	2704	cmd.exe	38
PID 2440 wrote to memory of 2504	2440	net.exe	39
PID 2440 wrote to memory of 2504	2440	net.exe	39
PID 2440 wrote to memory of 2504	2440	net.exe	39
PID 2860 wrote to memory of 2456	2860	cmd.exe	40
PID 2860 wrote to memory of 2456	2860	cmd.exe	40
PID 2860 wrote to memory of 2456	2860	cmd.exe	40
PID 2456 wrote to memory of 2468	2456	cmd.exe	41
PID 2456 wrote to memory of 2468	2456	cmd.exe	41
PID 2456 wrote to memory of 2468	2456	cmd.exe	41
PID 2860 wrote to memory of 2232	2860	cmd.exe	42
PID 2860 wrote to memory of 2232	2860	cmd.exe	42
PID 2860 wrote to memory of 2232	2860	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\rat1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1620
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2468
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads