020739fc9fd8f32ce7b765f91c563de03c2845b6d4508de555d55c57e5d5b2fa

Analysis

max time kernel
5s
max time network
6s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

اخترق.bat
Size

365B
MD5

b040cab88769e8ce9e3601df5f98ad85
SHA1

43a4fb53d5305d628c267dd8e89ec802e7af5ff0
SHA256

020739fc9fd8f32ce7b765f91c563de03c2845b6d4508de555d55c57e5d5b2fa
SHA512

c312c21d50bbcde39426302f6fabc8d429953d226bf6bce4b8ddc3d65e4afe9e33b5a507ed237a0a190093a10e24addaf3e502610c8a57de3e74f6f862e58946

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1324	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	shutdown.exe
Token: SeRemoteShutdownPrivilege	2656	shutdown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1324	1984	cmd.exe	32
PID 1984 wrote to memory of 1324	1984	cmd.exe	32
PID 1984 wrote to memory of 1324	1984	cmd.exe	32
PID 1984 wrote to memory of 2656	1984	cmd.exe	34
PID 1984 wrote to memory of 2656	1984	cmd.exe	34
PID 1984 wrote to memory of 2656	1984	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\اخترق.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - Runs ping.exe
  PID:1324
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-2-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/3060-3-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download