a43e9d152796855e2d736ddfa8f65332ae1b4b8be8cd6592ecef9c9ab9ca2394 | Triage

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:38

Sharing

Report Analysis Logs

General

Target

core.bat
Size

116B
MD5

f5b21b76543e9d9e0266907eba908086
SHA1

cc36e63f29e87b8fb761cb522e5dcf67260ede59
SHA256

12798db160501db81306c6cca0ab2304a1b7222da6ec99f0ccbdb67dcf442660
SHA512

6908cf93c848c4f4a1ade20bbba17e8f0e7af788d8d2de342b56dcee240f03ab88aeb4cb453fb3630bb885bac701e48e0cbcc721e393acef41cb163eaadb0ab3

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
588	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
588	rundll32.exe
588	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 588	2284	cmd.exe	31
PID 2284 wrote to memory of 588	2284	cmd.exe	31
PID 2284 wrote to memory of 588	2284	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\vessel-64.dat,DllMain /i="license.dat"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-2-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/588-7-0x000007FEF5D55000-0x000007FEF5FD8000-memory.dmp

Filesize
2.5MB

Download
memory/588-6-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/588-4-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download