be5db87da4405f5eca5a2f8ced83172b29eda1449036448c326d847ffc203eda

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 08:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Removal.bat
Size

117KB
MD5

1e885238e45f5effa2ba40c5ffb61d34
SHA1

b96cb9e3d57fb9546f115dce452c6ddc3b87385b
SHA256

be5db87da4405f5eca5a2f8ced83172b29eda1449036448c326d847ffc203eda
SHA512

4a6bf46888c11cad0ce63f030f37d6ef56734a21ea45b3f4c94d2da423833712d357220edef0041cf0f43eec22f6e40c457019aadc47b46b65dad4df792be1b8
SSDEEP

3072:j6/6wXzobYKrmoUXLtajmQpDoFY/ReqqksUnos/:jlwDpZoUXLtKQJQnos/

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2892	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2288	powershell.exe
2288	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeIncreaseQuotaPrivilege	4484	WMIC.exe
Token: SeSecurityPrivilege	4484	WMIC.exe
Token: SeTakeOwnershipPrivilege	4484	WMIC.exe
Token: SeLoadDriverPrivilege	4484	WMIC.exe
Token: SeSystemProfilePrivilege	4484	WMIC.exe
Token: SeSystemtimePrivilege	4484	WMIC.exe
Token: SeProfSingleProcessPrivilege	4484	WMIC.exe
Token: SeIncBasePriorityPrivilege	4484	WMIC.exe
Token: SeCreatePagefilePrivilege	4484	WMIC.exe
Token: SeBackupPrivilege	4484	WMIC.exe
Token: SeRestorePrivilege	4484	WMIC.exe
Token: SeShutdownPrivilege	4484	WMIC.exe
Token: SeDebugPrivilege	4484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4484	WMIC.exe
Token: SeRemoteShutdownPrivilege	4484	WMIC.exe
Token: SeUndockPrivilege	4484	WMIC.exe
Token: SeManageVolumePrivilege	4484	WMIC.exe
Token: 33	4484	WMIC.exe
Token: 34	4484	WMIC.exe
Token: 35	4484	WMIC.exe
Token: 36	4484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4484	WMIC.exe
Token: SeSecurityPrivilege	4484	WMIC.exe
Token: SeTakeOwnershipPrivilege	4484	WMIC.exe
Token: SeLoadDriverPrivilege	4484	WMIC.exe
Token: SeSystemProfilePrivilege	4484	WMIC.exe
Token: SeSystemtimePrivilege	4484	WMIC.exe
Token: SeProfSingleProcessPrivilege	4484	WMIC.exe
Token: SeIncBasePriorityPrivilege	4484	WMIC.exe
Token: SeCreatePagefilePrivilege	4484	WMIC.exe
Token: SeBackupPrivilege	4484	WMIC.exe
Token: SeRestorePrivilege	4484	WMIC.exe
Token: SeShutdownPrivilege	4484	WMIC.exe
Token: SeDebugPrivilege	4484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4484	WMIC.exe
Token: SeRemoteShutdownPrivilege	4484	WMIC.exe
Token: SeUndockPrivilege	4484	WMIC.exe
Token: SeManageVolumePrivilege	4484	WMIC.exe
Token: 33	4484	WMIC.exe
Token: 34	4484	WMIC.exe
Token: 35	4484	WMIC.exe
Token: 36	4484	WMIC.exe
Token: SeDebugPrivilege	2892	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4508	4520	cmd.exe	83
PID 4520 wrote to memory of 4508	4520	cmd.exe	83
PID 4520 wrote to memory of 2288	4520	cmd.exe	84
PID 4520 wrote to memory of 2288	4520	cmd.exe	84
PID 2288 wrote to memory of 4484	2288	powershell.exe	85
PID 2288 wrote to memory of 4484	2288	powershell.exe	85
PID 2288 wrote to memory of 2892	2288	powershell.exe	90
PID 2288 wrote to memory of 2892	2288	powershell.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Removal.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Removal.bat"
  2⤵
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sj4u3gom.dlj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotyAgDUf.bat

Filesize
174B

MD5
e3c61dd3070d446e5c9dcc84e5e202dc

SHA1
dbcc06580471bb7d5267351d92a8fd8054d3c0d1

SHA256
238256ffa04a07d28d83da3e2c4b804aa5323eac4cdef7962662586769f7f373

SHA512
716cd4ede60586ac4aeefeaab3f03601722982e8450a92e706f3ae3c63e67b3c8deb0c88e008805c226d54518e560bd537d330753bbdd8d7733d421cb354ca57

Download Submit
memory/2288-11-0x00007FFBF2473000-0x00007FFBF2475000-memory.dmp

Filesize
8KB

Download
memory/2288-21-0x00000245A2200000-0x00000245A2222000-memory.dmp

Filesize
136KB

Download
memory/2288-22-0x00007FFBF2470000-0x00007FFBF2F31000-memory.dmp

Filesize
10.8MB

Download
memory/2288-23-0x00007FFBF2470000-0x00007FFBF2F31000-memory.dmp

Filesize
10.8MB

Download
memory/2288-25-0x00007FFBF2470000-0x00007FFBF2F31000-memory.dmp

Filesize
10.8MB

Download