ec68eb0c7b556fb2d01b15e263c4583800b699642d1220f870dc9d4f9858347e

Analysis

max time kernel
4s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
03/10/2024, 09:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SDFKKJHL.bat
Size

1KB
MD5

bc0b084b290472b958ffa4fc70851afb
SHA1

dcd64f0d78f345dae44d5af80e2e40baf463f0f9
SHA256

ec68eb0c7b556fb2d01b15e263c4583800b699642d1220f870dc9d4f9858347e
SHA512

ef4d78aed65139ebb158048e59f66999c14b3ff661352b7d0e3e74f9b9d0521b66c7c4ae1f7886c97bdc3d68052c72dbb3e94e4d9beabc6144947efc054c1a99

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4768	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2964	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4344	WMIC.exe
Token: SeSecurityPrivilege	4344	WMIC.exe
Token: SeTakeOwnershipPrivilege	4344	WMIC.exe
Token: SeLoadDriverPrivilege	4344	WMIC.exe
Token: SeSystemProfilePrivilege	4344	WMIC.exe
Token: SeSystemtimePrivilege	4344	WMIC.exe
Token: SeProfSingleProcessPrivilege	4344	WMIC.exe
Token: SeIncBasePriorityPrivilege	4344	WMIC.exe
Token: SeCreatePagefilePrivilege	4344	WMIC.exe
Token: SeBackupPrivilege	4344	WMIC.exe
Token: SeRestorePrivilege	4344	WMIC.exe
Token: SeShutdownPrivilege	4344	WMIC.exe
Token: SeDebugPrivilege	4344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4344	WMIC.exe
Token: SeRemoteShutdownPrivilege	4344	WMIC.exe
Token: SeUndockPrivilege	4344	WMIC.exe
Token: SeManageVolumePrivilege	4344	WMIC.exe
Token: 33	4344	WMIC.exe
Token: 34	4344	WMIC.exe
Token: 35	4344	WMIC.exe
Token: 36	4344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4344	WMIC.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3420	4368	cmd.exe	71
PID 4368 wrote to memory of 3420	4368	cmd.exe	71
PID 4368 wrote to memory of 4344	4368	cmd.exe	73
PID 4368 wrote to memory of 4344	4368	cmd.exe	73
PID 4368 wrote to memory of 2956	4368	cmd.exe	74
PID 4368 wrote to memory of 2956	4368	cmd.exe	74
PID 4368 wrote to memory of 3600	4368	cmd.exe	75
PID 4368 wrote to memory of 3600	4368	cmd.exe	75
PID 4368 wrote to memory of 2964	4368	cmd.exe	76
PID 4368 wrote to memory of 2964	4368	cmd.exe	76
PID 4368 wrote to memory of 2272	4368	cmd.exe	77
PID 4368 wrote to memory of 2272	4368	cmd.exe	77
PID 4368 wrote to memory of 4768	4368	cmd.exe	79
PID 4368 wrote to memory of 4768	4368	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SDFKKJHL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name, ProcessorId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get Product, Manufacturer, SerialNumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model, SerialNumber
  2⤵
  PID:2956
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get Manufacturer, SerialNumber, Version
  2⤵
  PID:3600
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2964
- C:\Windows\system32\findstr.exe
  findstr /B /C:"OS Name" /C:"OS Version"
  2⤵
  PID:2272
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads