7d8b06e433c1eb797aaaa5957088a414f0dc8d9cd19302dbd2905df61dedb84b

Resubmissions

13/10/2024, 03:58

241013-ejjbrsyaqb 3

13/10/2024, 03:55

241013-egwjbaxhrh 3

Analysis

max time kernel
1369s
max time network
1163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sss/kitty.cc checkers.bat
Size

833B
MD5

76f2916842fa2b9cf80a206374b62d88
SHA1

c04a8f8db6388dad5e3c7e3edbbe9467e46cdd48
SHA256

59a907b93585ff90f7c69e4eddde938b8005807fe16a5a45b56820e28e07edcd
SHA512

5e0ffbc4e939568237d27c53e60eed88de8474b0d6ae9e767e66e8858cd3de7467f2b48b29a02a2a1b2e8922ed4bb4eb300632796ea39e531037f194ffac7eba

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: 36	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2176	5036	cmd.exe	84
PID 5036 wrote to memory of 2176	5036	cmd.exe	84
PID 5036 wrote to memory of 1728	5036	cmd.exe	86
PID 5036 wrote to memory of 1728	5036	cmd.exe	86
PID 5036 wrote to memory of 1940	5036	cmd.exe	88
PID 5036 wrote to memory of 1940	5036	cmd.exe	88
PID 5036 wrote to memory of 3924	5036	cmd.exe	89
PID 5036 wrote to memory of 3924	5036	cmd.exe	89
PID 5036 wrote to memory of 3932	5036	cmd.exe	91
PID 5036 wrote to memory of 3932	5036	cmd.exe	91
PID 5036 wrote to memory of 3544	5036	cmd.exe	93
PID 5036 wrote to memory of 3544	5036	cmd.exe	93
PID 5036 wrote to memory of 1132	5036	cmd.exe	94
PID 5036 wrote to memory of 1132	5036	cmd.exe	94
PID 5036 wrote to memory of 1652	5036	cmd.exe	95
PID 5036 wrote to memory of 1652	5036	cmd.exe	95
PID 5036 wrote to memory of 2724	5036	cmd.exe	96
PID 5036 wrote to memory of 2724	5036	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sss\kitty.cc checkers.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\mode.com
  mode con: cols=180 lines=62
  2⤵
  PID:2176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:3924
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description,PNPDeviceID
  2⤵
  PID:3932
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:3544
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:1132
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get processorid
  2⤵
  PID:1652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:2724

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads