Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 06:33
Behavioral task
behavioral1
Sample
Chara/Run.bat
Resource
win7-20240903-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Chara/Run.bat
Resource
win10v2004-20241007-en
6 signatures
150 seconds
General
-
Target
Chara/Run.bat
-
Size
55B
-
MD5
953afedf73e9fd5cbd5dbcd0920aba23
-
SHA1
b5b55fc17f8f6ab01a13e07fd9a5d9565660ac86
-
SHA256
ec96730cd5760f76624c76d0c318095c8baebf131a457ce0e7f06169e01bc8d8
-
SHA512
56f17fe591313dbd4d97a360b6f0c824e841270c6c456475ebe45f5a307dfc4b5bc6b3c4f1e9696ed2dff525586debc6cf0e95a86d755ab25fd83cdd6f32c421
Score
3/10
Malware Config
Signatures
-
pid Process 2348 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2332 2288 cmd.exe 32 PID 2288 wrote to memory of 2332 2288 cmd.exe 32 PID 2288 wrote to memory of 2332 2288 cmd.exe 32 PID 2332 wrote to memory of 2348 2332 wscript.exe 33 PID 2332 wrote to memory of 2348 2332 wscript.exe 33 PID 2332 wrote to memory of 2348 2332 wscript.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Chara\Run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\wscript.exewscript.exe InjectStart.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File ".\HackTool\Y0k9j8h76g5f4d3sdf56g7h8j9k.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-