b78da1eba668f0abe0da971a07aa5f90a1f7e2e378d7af507d4e4110cac64f11

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 15:17

Target

juggles.cmd
Size

287B
MD5

efe57aed27c2bbf4838b50159ea2d681
SHA1

b13e4a69874867d0de66d5fa836bfab2eeee74f6
SHA256

b86d813aedba63d8d3c2a926790838180adbf941187595cbb0ad6686b8599509
SHA512

e711875f47f7a4bcbbe2cdea145bdb42dcae4ef303300a8e8bd9991d9b9b85a19c64046daf563d96d3906c526b22ad429d9a6d7060a189eace6e826815a3f62f

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2920	PING.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1344	4904	cmd.exe	82
PID 4904 wrote to memory of 1344	4904	cmd.exe	82
PID 4904 wrote to memory of 2920	4904	cmd.exe	87
PID 4904 wrote to memory of 2920	4904	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\juggles.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\regsvr32.exe
  C:\Windows\\\\\\system32\\\\\\regsvr32.exe oslo\sag.dat
  2⤵
  PID:1344
- C:\Windows\system32\PING.EXE
  ping google.com
  2⤵
  - Runs ping.exe
  PID:2920

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact