Analysis
-
max time kernel
1561s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 13:24
Static task
static1
Behavioral task
behavioral1
Sample
Mega.nz.bat
Resource
win7-20240903-en
windows7-x64
4 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Mega.nz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
1800 seconds
General
-
Target
Mega.nz.bat
-
Size
7.0MB
-
MD5
b2d38508bcd5f974716108f254062299
-
SHA1
32ff5f1da9bdcc3c08d1a3abca2a06d6c2b1a51c
-
SHA256
be96e5999694ba413091ab5f34bfb5a7e402d6625484ff47ddb40c9dc623904e
-
SHA512
33c3b9c737cba1c830d19af4a05a012274b536ad71ac6b225f78ce4a3136ad51aba8dc4b3236b73562d7ab07e738b088fa4af15e460f515b96a7a5dad64f3609
-
SSDEEP
49152:RywMWtLM3sSYjTrwiSeDJ+WuXY7nrk+USWYvyP5IIma1eTWydiKBTYj3hcno6a8+:0
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2236 WMIC.exe Token: SeSecurityPrivilege 2236 WMIC.exe Token: SeTakeOwnershipPrivilege 2236 WMIC.exe Token: SeLoadDriverPrivilege 2236 WMIC.exe Token: SeSystemProfilePrivilege 2236 WMIC.exe Token: SeSystemtimePrivilege 2236 WMIC.exe Token: SeProfSingleProcessPrivilege 2236 WMIC.exe Token: SeIncBasePriorityPrivilege 2236 WMIC.exe Token: SeCreatePagefilePrivilege 2236 WMIC.exe Token: SeBackupPrivilege 2236 WMIC.exe Token: SeRestorePrivilege 2236 WMIC.exe Token: SeShutdownPrivilege 2236 WMIC.exe Token: SeDebugPrivilege 2236 WMIC.exe Token: SeSystemEnvironmentPrivilege 2236 WMIC.exe Token: SeRemoteShutdownPrivilege 2236 WMIC.exe Token: SeUndockPrivilege 2236 WMIC.exe Token: SeManageVolumePrivilege 2236 WMIC.exe Token: 33 2236 WMIC.exe Token: 34 2236 WMIC.exe Token: 35 2236 WMIC.exe Token: SeIncreaseQuotaPrivilege 2236 WMIC.exe Token: SeSecurityPrivilege 2236 WMIC.exe Token: SeTakeOwnershipPrivilege 2236 WMIC.exe Token: SeLoadDriverPrivilege 2236 WMIC.exe Token: SeSystemProfilePrivilege 2236 WMIC.exe Token: SeSystemtimePrivilege 2236 WMIC.exe Token: SeProfSingleProcessPrivilege 2236 WMIC.exe Token: SeIncBasePriorityPrivilege 2236 WMIC.exe Token: SeCreatePagefilePrivilege 2236 WMIC.exe Token: SeBackupPrivilege 2236 WMIC.exe Token: SeRestorePrivilege 2236 WMIC.exe Token: SeShutdownPrivilege 2236 WMIC.exe Token: SeDebugPrivilege 2236 WMIC.exe Token: SeSystemEnvironmentPrivilege 2236 WMIC.exe Token: SeRemoteShutdownPrivilege 2236 WMIC.exe Token: SeUndockPrivilege 2236 WMIC.exe Token: SeManageVolumePrivilege 2236 WMIC.exe Token: 33 2236 WMIC.exe Token: 34 2236 WMIC.exe Token: 35 2236 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 780 mspaint.exe 780 mspaint.exe 780 mspaint.exe 780 mspaint.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2236 3004 cmd.exe 31 PID 3004 wrote to memory of 2236 3004 cmd.exe 31 PID 3004 wrote to memory of 2236 3004 cmd.exe 31 PID 3004 wrote to memory of 2680 3004 cmd.exe 32 PID 3004 wrote to memory of 2680 3004 cmd.exe 32 PID 3004 wrote to memory of 2680 3004 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Mega.nz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get Model2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"2⤵PID:2680
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2664
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ConvertToSuspend.rle"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:780
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1760