ebc66fdfad2a4e8d3b8ce8b9dbcb40ca82928885ae97685dd8074e8999e216a5

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf50104-7e05-4b1f-a33b-d6d8c5d2101a.bat
Size

13.1MB
MD5

3292dac161225d334ba3e55877fc412c
SHA1

564dec805606eb10a573c04bc6531a2ba9fe266b
SHA256

ebc66fdfad2a4e8d3b8ce8b9dbcb40ca82928885ae97685dd8074e8999e216a5
SHA512

fd4dc05a9c139468976fe74e410bb835859b68b81a59e2ec03e6e654cc114900de2c35ea8fb4431cc05185cc19f96b27884f820f2bf1c64cd62145dc7197c726
SSDEEP

49152:FvayoykTV6h8b/YxQkr0W1d3Q1ycCxzF/ziQz72I3chVhCjjMO1CT+E9GQ0xFCXS:Zn

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2960	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: SeDebugPrivilege	2960	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2184	2284	cmd.exe	32
PID 2284 wrote to memory of 2184	2284	cmd.exe	32
PID 2284 wrote to memory of 2184	2284	cmd.exe	32
PID 2284 wrote to memory of 2064	2284	cmd.exe	33
PID 2284 wrote to memory of 2064	2284	cmd.exe	33
PID 2284 wrote to memory of 2064	2284	cmd.exe	33
PID 2064 wrote to memory of 2640	2064	powershell.exe	34
PID 2064 wrote to memory of 2640	2064	powershell.exe	34
PID 2064 wrote to memory of 2640	2064	powershell.exe	34
PID 2064 wrote to memory of 2960	2064	powershell.exe	36
PID 2064 wrote to memory of 2960	2064	powershell.exe	36
PID 2064 wrote to memory of 2960	2064	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\edf50104-7e05-4b1f-a33b-d6d8c5d2101a.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\edf50104-7e05-4b1f-a33b-d6d8c5d2101a.bat"
  2⤵
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdotVmjxRN.bat

Filesize
203B

MD5
1ceee92f00b9dfddd52d080937300332

SHA1
338ba92cf9b41fd73ce4de8bca7dbe585f9f3a05

SHA256
9f2b5020028cbf1f58090e4e73620d600b21128d8fe8aa04b8fc5111dc95d20d

SHA512
b87c6bf7ef1842da95ff6ab0d8cb67a241ed288f6ccf2fab4d850ba8c4fce21103ea1c625aa0845a80be29709852b898c7517de218119fa96318c5d946137203

Download Submit
memory/2064-15-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

Filesize
4KB

Download
memory/2064-16-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2064-17-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2064-18-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-19-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-20-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download