2cb0e019a442b66ef726131e30c7d061edc6f8dd173fd4ef78755ffb0bd64b18

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Killbat.bat
Size

1KB
MD5

fcda81e8fd70aecbaf9e3aab9858a136
SHA1

277f7be429baea2cde041965c6e5b4287340ad89
SHA256

2cb0e019a442b66ef726131e30c7d061edc6f8dd173fd4ef78755ffb0bd64b18
SHA512

1958be2541dfa5e4796a27b9a2c6bd8b132c251577463962836f2d343b3757d24e4d8407c3c61c07f3ddcbc058612adb1146763cdc942974090b3b9fb3a47a83

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2684	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2816	2480	cmd.exe	31
PID 2480 wrote to memory of 2816	2480	cmd.exe	31
PID 2480 wrote to memory of 2816	2480	cmd.exe	31
PID 2480 wrote to memory of 2684	2480	cmd.exe	32
PID 2480 wrote to memory of 2684	2480	cmd.exe	32
PID 2480 wrote to memory of 2684	2480	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Killbat.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show('This script will display a fake blue screen of death. Do you want to continue?', 'Confirmation', [System.Windows.Forms.MessageBoxButtons]::YesNo, [System.Windows.Forms.MessageBoxIcon]::Warning); if ($result -eq [System.Windows.Forms.DialogResult]::No) { exit }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$form = New-Object System.Windows.Forms.Form; $form.Text = 'STOP: C000021A {Fatal System Error}'; $form.BackColor = 'Blue'; $form.FormBorderStyle = 'None'; $form.WindowState = 'Maximized'; $form.TopMost = $true; $label = New-Object System.Windows.Forms.Label; $label.Text = 'The Windows Logon Process system process terminated unexpectedly with a status of 0xC000021A (0x00000000 0x00000000). The system has been shut down.'; $label.ForeColor = 'White'; $label.AutoSize = $true; $label.Top = 50; $label.Left = 50; $form.Controls.Add($label); $form.ShowDialog()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dbf73c22701c306c5941231179e182ef

SHA1
4fed9d8538d1dd25c1fdf049d5e580474f816e50

SHA256
321d7c86ef4099372920266efb9aa6b5f035a24ed38eac1793a25b63135072e2

SHA512
fa2ae77496a98216e6e557b4a4378e78500fd1b4e446d4cce73170ffb8e6d7ec855851e04763efd7319b7a787382b4cc777ec820a807245c4e280c81b40c1786

Download Submit
memory/2684-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2816-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/2816-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-6-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2816-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-8-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download