d0b75ec870db0d830c86d59baccfcefcad977a668a7c5ce85419b43ab9793004 | Triage

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:32

Sharing

Report Analysis Logs

General

Target

KF修复/KF修复.bat
Size

404B
MD5

6310042d8b04044d1cb6f662946d5f48
SHA1

96ec09c1d0a37f0b18464b5f52b5d1a26ff83a72
SHA256

96a995870d38b69aefb448111362048afce7a2cf8b980355d406aeaf8638c1f7
SHA512

31f95c6548a8b9aaa27844e8768625ceaabf010eae9bc01871114f69a636bb804f82ca4bd3a3e2d083626da70baff12162eb7cd14243c97d037a8008bd41f263

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Processes:

adb.exeadb.exeadb.exeadb.exe

pid process

2248 adb.exe
2364 adb.exe
1136 adb.exe
2908 adb.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 2248	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2248	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2248	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2248	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2364	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2364	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2364	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2364	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 1136	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 1136	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 1136	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 1136	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2908	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2908	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2908	2180	cmd.exe	adb.exe
PID 2180 wrote to memory of 2908	2180	cmd.exe	adb.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KF修复\KF修复.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\KF修复\adb.exe
adb shell rm /data/local/tmp/*
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2248

C:\Users\Admin\AppData\Local\Temp\KF修复\adb.exe
adb push zergRush /data/local/tmp
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2364

C:\Users\Admin\AppData\Local\Temp\KF修复\adb.exe
adb shell chmod 755 /data/local/tmp/zergRush
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1136

C:\Users\Admin\AppData\Local\Temp\KF修复\adb.exe
adb shell ./data/local/tmp/zergRush
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...