Analysis Overview
SHA256
95b41051910dea604a28a991b14f321d51706f22630fb555462b6720a9668c81
Threat Level: Known bad
The file eeede.bat was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-02 21:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 21:39
Reported
2024-06-02 21:41
Platform
win11-20240508-en
Max time kernel
90s
Max time network
95s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4416 wrote to memory of 2996 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4416 wrote to memory of 2996 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\findstr.exe |
| PID 4416 wrote to memory of 2516 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cscript.exe |
| PID 4416 wrote to memory of 2516 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cscript.exe |
| PID 4416 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\x.exe |
| PID 4416 wrote to memory of 4628 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\x.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eeede.bat"
C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\eeede.bat"
C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\x
| MD5 | bdbe219a1e044dc99355557ce75a95da |
| SHA1 | 8caa44b9e4751ff3c9b8da6ed49e5c4297b274ef |
| SHA256 | 677010b404d33ec90e208c02b3a4bb08e1a179e941450daa40450d7ccca29ee1 |
| SHA512 | 9cffa62844215cd848d4f423417da1da9b3a37cefb8d30a4180815ed6ceb0478cd195370b95b19ebeff42126809f9ddf9b11a747fd1e8b078e85d9a8d86b72db |
C:\Users\Admin\AppData\Local\Temp\x.vbs
| MD5 | ec9a2fb69a379d913a4e0a953cd3b97c |
| SHA1 | a0303ed9f787c042071a1286bba43a5bbdd0679e |
| SHA256 | cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b |
| SHA512 | fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6 |
C:\Users\Admin\AppData\Local\Temp\x
| MD5 | c7570834131ffa4c1f8df8d328462d87 |
| SHA1 | 60075abcfce0ab3164ba880da43029b71a70df3f |
| SHA256 | ee318691037bf98979be096b96db114ad4bc6f1a391898b2944232b825e5805b |
| SHA512 | eb3a0ab57ee21a1cf335d2bc35f08f1d8f3adaae9d1051eda63dd89b6498afd5e0c23af823e76c3aa5eda72fb2bf002359feb49651ada03a189e4fd93e71d9bd |
C:\Users\Admin\AppData\Local\Temp\x.exe
| MD5 | 5b14dedfd50e82d4a2e0a9e67b45f8ce |
| SHA1 | 5cc49f558d35cdafe40697d3021420594479ccf6 |
| SHA256 | b0b54e3ddaac2542f54ac9748ff99b5624460fd0164ed24766232d8d2afe3d24 |
| SHA512 | c1d16260ccb6bb45447b5c06a1487babfaa58f19f9d72439a5a04b3227083961d69bd4cf35c058f4a28682aac8e53a67238032c470101f51f76a3b39a63b2d7a |
memory/4628-2192-0x00007FFD4C033000-0x00007FFD4C035000-memory.dmp
memory/4628-2193-0x00000000004C0000-0x00000000004E2000-memory.dmp
memory/4628-2195-0x00007FFD4C030000-0x00007FFD4CAF2000-memory.dmp
memory/4628-2196-0x00007FFD4C030000-0x00007FFD4CAF2000-memory.dmp