66818a703573af9563ac15d67e0c57232a804566196df0026a03cf0099ce272b

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unban/6/!!!!RUNME!!!!!.bat
Size

1KB
MD5

00b6a59dc198b9f77efcd6047199b160
SHA1

412c430f6f29662ee4007957121b2969278656d5
SHA256

b46e4abc5260772f66cc9f53169bf37ea34cb85eea2681cf79bb6b9d69b17506
SHA512

7d79aa95f65b0a2147a74bc75b3dc770b3f413ea5700a858fa16ea4553d6cb98c2cdcd855745c14d21dea94b5a085ed02395d48a78e4c415ae849d764552bf3c

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4524	sc.exe
4404	sc.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4268	timeout.exe
1800	timeout.exe

Runs net.exe

Suspicious behavior: LoadsDriver 27 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeShutdownPrivilege	228	svchost.exe
Token: SeSystemEnvironmentPrivilege	228	svchost.exe
Token: SeManageVolumePrivilege	228	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeSystemtimePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeShutdownPrivilege	228	svchost.exe
Token: SeSystemEnvironmentPrivilege	228	svchost.exe
Token: SeUndockPrivilege	228	svchost.exe
Token: SeManageVolumePrivilege	228	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeSystemtimePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeShutdownPrivilege	228	svchost.exe
Token: SeSystemEnvironmentPrivilege	228	svchost.exe
Token: SeUndockPrivilege	228	svchost.exe
Token: SeManageVolumePrivilege	228	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeSystemtimePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeShutdownPrivilege	228	svchost.exe
Token: SeSystemEnvironmentPrivilege	228	svchost.exe
Token: SeUndockPrivilege	228	svchost.exe
Token: SeManageVolumePrivilege	228	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeSystemtimePrivilege	228	svchost.exe
Token: SeBackupPrivilege	228	svchost.exe
Token: SeRestorePrivilege	228	svchost.exe
Token: SeShutdownPrivilege	228	svchost.exe
Token: SeSystemEnvironmentPrivilege	228	svchost.exe
Token: SeUndockPrivilege	228	svchost.exe
Token: SeManageVolumePrivilege	228	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	228	svchost.exe
Token: SeIncreaseQuotaPrivilege	228	svchost.exe
Token: SeSecurityPrivilege	228	svchost.exe
Token: SeTakeOwnershipPrivilege	228	svchost.exe
Token: SeLoadDriverPrivilege	228	svchost.exe
Token: SeSystemtimePrivilege	228	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4848	5004	cmd.exe	85
PID 5004 wrote to memory of 4848	5004	cmd.exe	85
PID 5004 wrote to memory of 3420	5004	cmd.exe	86
PID 5004 wrote to memory of 3420	5004	cmd.exe	86
PID 5004 wrote to memory of 3708	5004	cmd.exe	87
PID 5004 wrote to memory of 3708	5004	cmd.exe	87
PID 5004 wrote to memory of 2932	5004	cmd.exe	88
PID 5004 wrote to memory of 2932	5004	cmd.exe	88
PID 5004 wrote to memory of 2816	5004	cmd.exe	89
PID 5004 wrote to memory of 2816	5004	cmd.exe	89
PID 5004 wrote to memory of 4836	5004	cmd.exe	90
PID 5004 wrote to memory of 4836	5004	cmd.exe	90
PID 5004 wrote to memory of 732	5004	cmd.exe	92
PID 5004 wrote to memory of 732	5004	cmd.exe	92
PID 5004 wrote to memory of 1416	5004	cmd.exe	93
PID 5004 wrote to memory of 1416	5004	cmd.exe	93
PID 5004 wrote to memory of 1216	5004	cmd.exe	94
PID 5004 wrote to memory of 1216	5004	cmd.exe	94
PID 5004 wrote to memory of 4092	5004	cmd.exe	95
PID 5004 wrote to memory of 4092	5004	cmd.exe	95
PID 5004 wrote to memory of 4612	5004	cmd.exe	96
PID 5004 wrote to memory of 4612	5004	cmd.exe	96
PID 5004 wrote to memory of 2720	5004	cmd.exe	97
PID 5004 wrote to memory of 2720	5004	cmd.exe	97
PID 5004 wrote to memory of 3380	5004	cmd.exe	98
PID 5004 wrote to memory of 3380	5004	cmd.exe	98
PID 5004 wrote to memory of 2008	5004	cmd.exe	100
PID 5004 wrote to memory of 2008	5004	cmd.exe	100
PID 5004 wrote to memory of 2776	5004	cmd.exe	101
PID 5004 wrote to memory of 2776	5004	cmd.exe	101
PID 5004 wrote to memory of 3024	5004	cmd.exe	102
PID 5004 wrote to memory of 3024	5004	cmd.exe	102
PID 5004 wrote to memory of 1588	5004	cmd.exe	103
PID 5004 wrote to memory of 1588	5004	cmd.exe	103
PID 5004 wrote to memory of 892	5004	cmd.exe	104
PID 5004 wrote to memory of 892	5004	cmd.exe	104
PID 5004 wrote to memory of 4488	5004	cmd.exe	105
PID 5004 wrote to memory of 4488	5004	cmd.exe	105
PID 5004 wrote to memory of 1620	5004	cmd.exe	106
PID 5004 wrote to memory of 1620	5004	cmd.exe	106
PID 5004 wrote to memory of 3540	5004	cmd.exe	107
PID 5004 wrote to memory of 3540	5004	cmd.exe	107
PID 5004 wrote to memory of 1948	5004	cmd.exe	108
PID 5004 wrote to memory of 1948	5004	cmd.exe	108
PID 5004 wrote to memory of 3136	5004	cmd.exe	109
PID 5004 wrote to memory of 3136	5004	cmd.exe	109
PID 5004 wrote to memory of 2612	5004	cmd.exe	110
PID 5004 wrote to memory of 2612	5004	cmd.exe	110
PID 5004 wrote to memory of 3112	5004	cmd.exe	111
PID 5004 wrote to memory of 3112	5004	cmd.exe	111
PID 5004 wrote to memory of 4780	5004	cmd.exe	113
PID 5004 wrote to memory of 4780	5004	cmd.exe	113
PID 5004 wrote to memory of 452	5004	cmd.exe	114
PID 5004 wrote to memory of 452	5004	cmd.exe	114
PID 5004 wrote to memory of 636	5004	cmd.exe	115
PID 5004 wrote to memory of 636	5004	cmd.exe	115
PID 636 wrote to memory of 2108	636	net.exe	116
PID 636 wrote to memory of 2108	636	net.exe	116
PID 5004 wrote to memory of 772	5004	cmd.exe	119
PID 5004 wrote to memory of 772	5004	cmd.exe	119
PID 772 wrote to memory of 3432	772	net.exe	120
PID 772 wrote to memory of 3432	772	net.exe	120
PID 5004 wrote to memory of 4524	5004	cmd.exe	124
PID 5004 wrote to memory of 4524	5004	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\unban\6\!!!!RUNME!!!!!.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU auto
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS "1684622520"
  2⤵
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV "1.0"
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK "1809912807"
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "1022117223"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP "MS-7D23"
  2⤵
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM "Micro-pro International Co., Ltd."
  2⤵
  PID:732
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK "1946227538"
  2⤵
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF "1664216424"
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM "Micro-pro International Co., Ltd."
  2⤵
  PID:4092
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP "H510M-A PRO (MS-7D23)"
  2⤵
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV "1.0"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT "126102943"
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC "1858528809"
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN "2123430014"
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT "269335743"
  2⤵
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN "2619422313"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK "280534143"
  2⤵
  PID:892
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS "2168310331"
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV "1.0"
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "Micro-pro International Co., Ltd."
  2⤵
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA "594125825"
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO "0000 0000h"
  2⤵
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT "03h"
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV "3.80"
  2⤵
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IVN "American Megatrends International, LLC."
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\unban\6\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS "2614514534"
  2⤵
  PID:452
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:2108
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:3432
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:4524
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:4404
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\wbem\repository\MAPPING2.MAP

Filesize
207KB

MD5
90dd7d3626130d398e05e04771d11dc8

SHA1
682517324cf50f5825208efdeb796744996fd3a2

SHA256
7f5cab0cd9a4086a89b6a965a7dd65771fc18115065e91eab35729e590a3f4a9

SHA512
1ec91a3fadb8b5059d3e15e49786f2712f8ce22b4141f3b04ef4150a986178e5a34e3148b3b043ed092748bf22af92db589a6b3c8a024d7835d26b594bfa37ad

Download Submit