Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
SDFKKJHL.bat
Resource
win10-20240611-en
windows10-1703-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
SDFKKJHL.bat
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
SDFKKJHL.bat
-
Size
1KB
-
MD5
bc0b084b290472b958ffa4fc70851afb
-
SHA1
dcd64f0d78f345dae44d5af80e2e40baf463f0f9
-
SHA256
ec68eb0c7b556fb2d01b15e263c4583800b699642d1220f870dc9d4f9858347e
-
SHA512
ef4d78aed65139ebb158048e59f66999c14b3ff661352b7d0e3e74f9b9d0521b66c7c4ae1f7886c97bdc3d68052c72dbb3e94e4d9beabc6144947efc054c1a99
Score
1/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2640 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3040 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2876 WMIC.exe Token: SeSecurityPrivilege 2876 WMIC.exe Token: SeTakeOwnershipPrivilege 2876 WMIC.exe Token: SeLoadDriverPrivilege 2876 WMIC.exe Token: SeSystemProfilePrivilege 2876 WMIC.exe Token: SeSystemtimePrivilege 2876 WMIC.exe Token: SeProfSingleProcessPrivilege 2876 WMIC.exe Token: SeIncBasePriorityPrivilege 2876 WMIC.exe Token: SeCreatePagefilePrivilege 2876 WMIC.exe Token: SeBackupPrivilege 2876 WMIC.exe Token: SeRestorePrivilege 2876 WMIC.exe Token: SeShutdownPrivilege 2876 WMIC.exe Token: SeDebugPrivilege 2876 WMIC.exe Token: SeSystemEnvironmentPrivilege 2876 WMIC.exe Token: SeRemoteShutdownPrivilege 2876 WMIC.exe Token: SeUndockPrivilege 2876 WMIC.exe Token: SeManageVolumePrivilege 2876 WMIC.exe Token: 33 2876 WMIC.exe Token: 34 2876 WMIC.exe Token: 35 2876 WMIC.exe Token: SeIncreaseQuotaPrivilege 2876 WMIC.exe Token: SeSecurityPrivilege 2876 WMIC.exe Token: SeTakeOwnershipPrivilege 2876 WMIC.exe Token: SeLoadDriverPrivilege 2876 WMIC.exe Token: SeSystemProfilePrivilege 2876 WMIC.exe Token: SeSystemtimePrivilege 2876 WMIC.exe Token: SeProfSingleProcessPrivilege 2876 WMIC.exe Token: SeIncBasePriorityPrivilege 2876 WMIC.exe Token: SeCreatePagefilePrivilege 2876 WMIC.exe Token: SeBackupPrivilege 2876 WMIC.exe Token: SeRestorePrivilege 2876 WMIC.exe Token: SeShutdownPrivilege 2876 WMIC.exe Token: SeDebugPrivilege 2876 WMIC.exe Token: SeSystemEnvironmentPrivilege 2876 WMIC.exe Token: SeRemoteShutdownPrivilege 2876 WMIC.exe Token: SeUndockPrivilege 2876 WMIC.exe Token: SeManageVolumePrivilege 2876 WMIC.exe Token: 33 2876 WMIC.exe Token: 34 2876 WMIC.exe Token: 35 2876 WMIC.exe Token: SeIncreaseQuotaPrivilege 860 WMIC.exe Token: SeSecurityPrivilege 860 WMIC.exe Token: SeTakeOwnershipPrivilege 860 WMIC.exe Token: SeLoadDriverPrivilege 860 WMIC.exe Token: SeSystemProfilePrivilege 860 WMIC.exe Token: SeSystemtimePrivilege 860 WMIC.exe Token: SeProfSingleProcessPrivilege 860 WMIC.exe Token: SeIncBasePriorityPrivilege 860 WMIC.exe Token: SeCreatePagefilePrivilege 860 WMIC.exe Token: SeBackupPrivilege 860 WMIC.exe Token: SeRestorePrivilege 860 WMIC.exe Token: SeShutdownPrivilege 860 WMIC.exe Token: SeDebugPrivilege 860 WMIC.exe Token: SeSystemEnvironmentPrivilege 860 WMIC.exe Token: SeRemoteShutdownPrivilege 860 WMIC.exe Token: SeUndockPrivilege 860 WMIC.exe Token: SeManageVolumePrivilege 860 WMIC.exe Token: 33 860 WMIC.exe Token: 34 860 WMIC.exe Token: 35 860 WMIC.exe Token: SeIncreaseQuotaPrivilege 860 WMIC.exe Token: SeSecurityPrivilege 860 WMIC.exe Token: SeTakeOwnershipPrivilege 860 WMIC.exe Token: SeLoadDriverPrivilege 860 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2876 2056 cmd.exe 31 PID 2056 wrote to memory of 2876 2056 cmd.exe 31 PID 2056 wrote to memory of 2876 2056 cmd.exe 31 PID 2056 wrote to memory of 860 2056 cmd.exe 33 PID 2056 wrote to memory of 860 2056 cmd.exe 33 PID 2056 wrote to memory of 860 2056 cmd.exe 33 PID 2056 wrote to memory of 2752 2056 cmd.exe 34 PID 2056 wrote to memory of 2752 2056 cmd.exe 34 PID 2056 wrote to memory of 2752 2056 cmd.exe 34 PID 2056 wrote to memory of 2816 2056 cmd.exe 35 PID 2056 wrote to memory of 2816 2056 cmd.exe 35 PID 2056 wrote to memory of 2816 2056 cmd.exe 35 PID 2056 wrote to memory of 3040 2056 cmd.exe 36 PID 2056 wrote to memory of 3040 2056 cmd.exe 36 PID 2056 wrote to memory of 3040 2056 cmd.exe 36 PID 2056 wrote to memory of 2848 2056 cmd.exe 37 PID 2056 wrote to memory of 2848 2056 cmd.exe 37 PID 2056 wrote to memory of 2848 2056 cmd.exe 37 PID 2056 wrote to memory of 2640 2056 cmd.exe 39 PID 2056 wrote to memory of 2640 2056 cmd.exe 39 PID 2056 wrote to memory of 2640 2056 cmd.exe 39
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SDFKKJHL.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name, ProcessorId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product, Manufacturer, SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get Model, SerialNumber2⤵PID:2752
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get Manufacturer, SerialNumber, Version2⤵PID:2816
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:3040
-
-
C:\Windows\system32\findstr.exefindstr /B /C:"OS Name" /C:"OS Version"2⤵PID:2848
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:2640
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2020
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵PID:1736