7c72e3a931618febd9854c435c8c2c09df37b0ac820ee6088d8c1489cfc132ad

Analysis

max time kernel
4s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22-07-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kdot.bat
Size

118KB
MD5

8ef6eb4668f637b7f439f45615da1504
SHA1

4177537b0b4074fe1f6d89dd85c2080579775b3b
SHA256

7c72e3a931618febd9854c435c8c2c09df37b0ac820ee6088d8c1489cfc132ad
SHA512

8acd0f44f6979f97f6b936160d57fde5192c60c84a31ba32c04dc72a18e7ddd2699dccae64d8f757395760c1f4a4b766c0126d5da8adb229b025acafa38d8b28
SSDEEP

3072:Ddvf7+ELFryyFVf24fBHDOMMIFIZTF0UBdCt21:RDLFmyFGMM3ZeaCK

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
4456	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: 36	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: 36	1968	WMIC.exe
Token: SeDebugPrivilege	4456	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 1976	4388	cmd.exe	83
PID 4388 wrote to memory of 1976	4388	cmd.exe	83
PID 4388 wrote to memory of 2576	4388	cmd.exe	84
PID 4388 wrote to memory of 2576	4388	cmd.exe	84
PID 2576 wrote to memory of 1968	2576	powershell.exe	85
PID 2576 wrote to memory of 1968	2576	powershell.exe	85
PID 2576 wrote to memory of 4456	2576	powershell.exe	88
PID 2576 wrote to memory of 4456	2576	powershell.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kdot.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\kdot.bat"
  2⤵
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnz2zcqc.b2b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotvlsGwc.bat

Filesize
171B

MD5
ea73046636ebe13d2f6217c13fecdfe8

SHA1
1f6afd22440e67db85a85856e39bac9aa014adaf

SHA256
e1c21052fa03d591fda24404722160f2f6d4565a73d9ba768bec2a0dad488e47

SHA512
2343afb832f4c7852934883f0ad63987027f5983c65a15aeec26c161ca8512352902c57e81b996299dfa4ab814412b442b3fb90597874002d557f2de78995325

Download Submit
memory/2576-11-0x00007FFC60823000-0x00007FFC60825000-memory.dmp

Filesize
8KB

Download
memory/2576-20-0x000001896F0A0000-0x000001896F0C2000-memory.dmp

Filesize
136KB

Download
memory/2576-21-0x00007FFC60820000-0x00007FFC612E2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-22-0x00007FFC60820000-0x00007FFC612E2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-23-0x00007FFC60820000-0x00007FFC612E2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-26-0x00007FFC60820000-0x00007FFC612E2000-memory.dmp

Filesize
10.8MB

Download