a9c5afa8c8da291d36ebf561d9ee9f339c085d2ebe6270d9c9b152f769460ea9

Analysis

max time kernel
17s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 23:13

Target

hansy.bat
Size

4KB
MD5

616d18ca879666779d3d3a5c6022a24a
SHA1

8b44ebf0ec71ca5ce38a5afba6cf84f13971d489
SHA256

a9c5afa8c8da291d36ebf561d9ee9f339c085d2ebe6270d9c9b152f769460ea9
SHA512

b11ea99e8f7927ce48b1525b44da9418c15baf3bf3cb4b32a988d106e4412ac25f4b6581ce69dcbe609b120799e8dfd55c23eefeeb329a6eb517498b8140a3fa
SSDEEP

48:EmFjeX2FKfMFlNVdlmzXKYciMIwffzQdCRGc:HC2FKUPNVdlmz3d8Gc

Score

1^/10

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2696	4976	cmd.exe	85
PID 4976 wrote to memory of 2696	4976	cmd.exe	85
PID 4976 wrote to memory of 2580	4976	cmd.exe	86
PID 4976 wrote to memory of 2580	4976	cmd.exe	86
PID 4976 wrote to memory of 1448	4976	cmd.exe	87
PID 4976 wrote to memory of 1448	4976	cmd.exe	87
PID 4976 wrote to memory of 4696	4976	cmd.exe	91
PID 4976 wrote to memory of 4696	4976	cmd.exe	91
PID 4976 wrote to memory of 4044	4976	cmd.exe	92
PID 4976 wrote to memory of 4044	4976	cmd.exe	92
PID 4976 wrote to memory of 3788	4976	cmd.exe	93
PID 4976 wrote to memory of 3788	4976	cmd.exe	93
PID 4976 wrote to memory of 2052	4976	cmd.exe	94
PID 4976 wrote to memory of 2052	4976	cmd.exe	94
PID 4976 wrote to memory of 1912	4976	cmd.exe	95
PID 4976 wrote to memory of 1912	4976	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hansy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:2696
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:2580
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:1448
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  PID:4696
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:4044
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:3788
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:2052
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  - Runs ping.exe
  PID:1912

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact