600989d3a37ca947b061723663e034cc8180bc17379093875e9af76c804ea205

Analysis

max time kernel
6s
max time network
7s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

اخترقV2.bat
Size

305B
MD5

e00b5b8cee3793e1f8ebc839d1c78ded
SHA1

e8d66c0a6f37dd91267f8c62194e3808a89c69b7
SHA256

600989d3a37ca947b061723663e034cc8180bc17379093875e9af76c804ea205
SHA512

1edc1984e4562347a704b1230c384c50cbe5668ade164868004d6030dce84f49cffa09dc04a33806da4ed7778e34e3e89a191aaa7f83002fbec7debb3c7914cf

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1028	PING.EXE

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	2848	7z.exe
Token: 35	2848	7z.exe
Token: SeRestorePrivilege	2784	7z.exe
Token: 35	2784	7z.exe
Token: SeRestorePrivilege	2440	7z.exe
Token: 35	2440	7z.exe
Token: SeRestorePrivilege	2716	7z.exe
Token: 35	2716	7z.exe
Token: SeRestorePrivilege	2752	7z.exe
Token: 35	2752	7z.exe
Token: SeRestorePrivilege	2880	7z.exe
Token: 35	2880	7z.exe
Token: SeRestorePrivilege	2616	7z.exe
Token: 35	2616	7z.exe
Token: SeRestorePrivilege	2908	7z.exe
Token: 35	2908	7z.exe
Token: SeRestorePrivilege	2832	7z.exe
Token: 35	2832	7z.exe
Token: SeRestorePrivilege	2728	7z.exe
Token: 35	2728	7z.exe
Token: SeRestorePrivilege	2636	7z.exe
Token: 35	2636	7z.exe
Token: SeRestorePrivilege	2860	7z.exe
Token: 35	2860	7z.exe
Token: SeRestorePrivilege	2764	7z.exe
Token: 35	2764	7z.exe
Token: SeRestorePrivilege	2584	7z.exe
Token: 35	2584	7z.exe
Token: SeRestorePrivilege	2608	7z.exe
Token: 35	2608	7z.exe
Token: SeRestorePrivilege	2640	7z.exe
Token: 35	2640	7z.exe
Token: SeRestorePrivilege	2660	7z.exe
Token: 35	2660	7z.exe
Token: SeRestorePrivilege	2760	7z.exe
Token: 35	2760	7z.exe
Token: SeRestorePrivilege	2044	7z.exe
Token: 35	2044	7z.exe
Token: SeRestorePrivilege	2244	7z.exe
Token: 35	2244	7z.exe
Token: SeRestorePrivilege	2128	7z.exe
Token: 35	2128	7z.exe
Token: SeRestorePrivilege	1192	7z.exe
Token: 35	1192	7z.exe
Token: SeRestorePrivilege	768	7z.exe
Token: 35	768	7z.exe
Token: SeRestorePrivilege	776	7z.exe
Token: 35	776	7z.exe
Token: SeShutdownPrivilege	2572	shutdown.exe
Token: SeRemoteShutdownPrivilege	2572	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2848	2056	cmd.exe	31
PID 2056 wrote to memory of 2848	2056	cmd.exe	31
PID 2056 wrote to memory of 2848	2056	cmd.exe	31
PID 2056 wrote to memory of 2784	2056	cmd.exe	32
PID 2056 wrote to memory of 2784	2056	cmd.exe	32
PID 2056 wrote to memory of 2784	2056	cmd.exe	32
PID 2056 wrote to memory of 2440	2056	cmd.exe	33
PID 2056 wrote to memory of 2440	2056	cmd.exe	33
PID 2056 wrote to memory of 2440	2056	cmd.exe	33
PID 2056 wrote to memory of 2716	2056	cmd.exe	34
PID 2056 wrote to memory of 2716	2056	cmd.exe	34
PID 2056 wrote to memory of 2716	2056	cmd.exe	34
PID 2056 wrote to memory of 2752	2056	cmd.exe	35
PID 2056 wrote to memory of 2752	2056	cmd.exe	35
PID 2056 wrote to memory of 2752	2056	cmd.exe	35
PID 2056 wrote to memory of 2880	2056	cmd.exe	36
PID 2056 wrote to memory of 2880	2056	cmd.exe	36
PID 2056 wrote to memory of 2880	2056	cmd.exe	36
PID 2056 wrote to memory of 2616	2056	cmd.exe	37
PID 2056 wrote to memory of 2616	2056	cmd.exe	37
PID 2056 wrote to memory of 2616	2056	cmd.exe	37
PID 2056 wrote to memory of 2908	2056	cmd.exe	38
PID 2056 wrote to memory of 2908	2056	cmd.exe	38
PID 2056 wrote to memory of 2908	2056	cmd.exe	38
PID 2056 wrote to memory of 2832	2056	cmd.exe	39
PID 2056 wrote to memory of 2832	2056	cmd.exe	39
PID 2056 wrote to memory of 2832	2056	cmd.exe	39
PID 2056 wrote to memory of 2728	2056	cmd.exe	40
PID 2056 wrote to memory of 2728	2056	cmd.exe	40
PID 2056 wrote to memory of 2728	2056	cmd.exe	40
PID 2056 wrote to memory of 2636	2056	cmd.exe	41
PID 2056 wrote to memory of 2636	2056	cmd.exe	41
PID 2056 wrote to memory of 2636	2056	cmd.exe	41
PID 2056 wrote to memory of 2860	2056	cmd.exe	42
PID 2056 wrote to memory of 2860	2056	cmd.exe	42
PID 2056 wrote to memory of 2860	2056	cmd.exe	42
PID 2056 wrote to memory of 2764	2056	cmd.exe	43
PID 2056 wrote to memory of 2764	2056	cmd.exe	43
PID 2056 wrote to memory of 2764	2056	cmd.exe	43
PID 2056 wrote to memory of 2584	2056	cmd.exe	44
PID 2056 wrote to memory of 2584	2056	cmd.exe	44
PID 2056 wrote to memory of 2584	2056	cmd.exe	44
PID 2056 wrote to memory of 2608	2056	cmd.exe	45
PID 2056 wrote to memory of 2608	2056	cmd.exe	45
PID 2056 wrote to memory of 2608	2056	cmd.exe	45
PID 2056 wrote to memory of 2640	2056	cmd.exe	46
PID 2056 wrote to memory of 2640	2056	cmd.exe	46
PID 2056 wrote to memory of 2640	2056	cmd.exe	46
PID 2056 wrote to memory of 2660	2056	cmd.exe	47
PID 2056 wrote to memory of 2660	2056	cmd.exe	47
PID 2056 wrote to memory of 2660	2056	cmd.exe	47
PID 2056 wrote to memory of 2760	2056	cmd.exe	48
PID 2056 wrote to memory of 2760	2056	cmd.exe	48
PID 2056 wrote to memory of 2760	2056	cmd.exe	48
PID 2056 wrote to memory of 2044	2056	cmd.exe	49
PID 2056 wrote to memory of 2044	2056	cmd.exe	49
PID 2056 wrote to memory of 2044	2056	cmd.exe	49
PID 2056 wrote to memory of 2244	2056	cmd.exe	50
PID 2056 wrote to memory of 2244	2056	cmd.exe	50
PID 2056 wrote to memory of 2244	2056	cmd.exe	50
PID 2056 wrote to memory of 2128	2056	cmd.exe	51
PID 2056 wrote to memory of 2128	2056	cmd.exe	51
PID 2056 wrote to memory of 2128	2056	cmd.exe	51
PID 2056 wrote to memory of 1192	2056	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\اخترقV2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "DenyStop.ps1" "DenyStop.TS"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "EnableConvertTo.ps1" "EnableConvertTo.m3u"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "FormatTrace.ps1" "FormatTrace.ttf"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "GetMove.ps1" "GetMove.bmp"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "GetSet.ps1" "GetSet.easmx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "ImportCompare.ps1" "ImportCompare.xls"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "InstallHide.ps1" "InstallHide.htm"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "InstallUndo.ps1" "InstallUndo.wmx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "InvokeClear.ps1" "InvokeClear.temp"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "MountInitialize.ps1" "MountInitialize.contact"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "ProtectSuspend.ps1" "ProtectSuspend.mhtml"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "RegisterRestart.ps1" "RegisterRestart.vbs"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "RestartSync.ps1" "RestartSync.vdw"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "SendBackup.ps1" "SendBackup.xlsx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "SetPush.ps1" "SetPush.vssx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "SplitDeny.ps1" "SplitDeny.wma"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "StepStart.ps1" "StepStart.docx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "SyncLimit.ps1" "SyncLimit.ppsx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "UnblockRename.ps1" "UnblockRename.vsd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "UndoOut.ps1" "UndoOut.tif"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "UndoRemove.ps1" "UndoRemove.docx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "UnpublishReceive.ps1" "UnpublishReceive.sys"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "UnpublishUninstall.ps1" "UnpublishUninstall.ps1"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" to -tzip "WriteHide.ps1" "WriteHide.xps"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - Runs ping.exe
  PID:1028
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads