Analysis
-
max time kernel
55s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:44
Static task
static1
Behavioral task
behavioral1
Sample
rasols.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
rasols.bat
Resource
win10v2004-20241007-en
General
-
Target
rasols.bat
-
Size
670B
-
MD5
3fa703702d40bde2b0e6c3e4d714530f
-
SHA1
ba1a1224efa91e43a731005fbca16bf6b7bf7789
-
SHA256
9f32da05cb50dffe57229f0cec2e1f06736634cc2b600bf4011a279adfa97202
-
SHA512
08b3252b6c58201351a77f397161dab9d49a627246dfe976fa9d1efa60012c8978c0fd5b4d8870eb002effb1b2a2f5ce9ded6f1f2abf83adbefae80ea040cc24
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2096 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zupa.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zupa.bat cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2624 taskmgr.exe 2624 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2624 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe 2624 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2112 2096 cmd.exe 31 PID 2096 wrote to memory of 2112 2096 cmd.exe 31 PID 2096 wrote to memory of 2112 2096 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\rasols.bat"1⤵
- Deletes itself
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zupa.bat"2⤵PID:2112
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2860
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111B
MD5e1fb0edaa5e8c7fd3e3b13e556ef90cc
SHA1cbcc264254a0a13d510de0b9762c2ca0ea18558f
SHA2569b5a8878d9f606c6d43dcbd57115ffc69117bde85f11dbb928eb8d2362821455
SHA51266ce1425a0f6bcf882eb5a81be576de0f12defeb791ce1e4ed28d5e0c605830156b004299a3e4e55c5ccdd43df0e29098f1b407c2aa5ecf4c2bb3d2aab37d21d