Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 06:31
Behavioral task
behavioral1
Sample
Chara/Run.bat
Resource
win7-20240708-en
5 signatures
300 seconds
General
-
Target
Chara/Run.bat
-
Size
55B
-
MD5
953afedf73e9fd5cbd5dbcd0920aba23
-
SHA1
b5b55fc17f8f6ab01a13e07fd9a5d9565660ac86
-
SHA256
ec96730cd5760f76624c76d0c318095c8baebf131a457ce0e7f06169e01bc8d8
-
SHA512
56f17fe591313dbd4d97a360b6f0c824e841270c6c456475ebe45f5a307dfc4b5bc6b3c4f1e9696ed2dff525586debc6cf0e95a86d755ab25fd83cdd6f32c421
Score
3/10
Malware Config
Signatures
-
pid Process 2252 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2252 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2356 2696 cmd.exe 31 PID 2696 wrote to memory of 2356 2696 cmd.exe 31 PID 2696 wrote to memory of 2356 2696 cmd.exe 31 PID 2356 wrote to memory of 2252 2356 wscript.exe 32 PID 2356 wrote to memory of 2252 2356 wscript.exe 32 PID 2356 wrote to memory of 2252 2356 wscript.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Chara\Run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\wscript.exewscript.exe InjectStart.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File ".\HackTool\Y0k9j8h76g5f4d3sdf56g7h8j9k.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-