708c3a754f66c7ea424f1853f6076fd19434f729efff1c7ca5f68c76648f9ca3

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/03/2023, 14:09

Target

CCDisk (v2021.02.19)/STOP_ALL.bat
Size

226B
MD5

8b9abbd78e36c4469d8e64f5ca425917
SHA1

aaa5d00f34e29b83fa02d8dcac56d821eb1a70bc
SHA256

7c7ab179f5761666b1ea88917f0765d0bc043077fe09b64407f11f148a420f8e
SHA512

03da1c42a86b02514e82c4490705d55f5f2909bbff60795ed275b335fcef2c5884b66003962b0e23bd49a04437fcd9a8c32aa118400b4109c49506c5b65e96ae

Score

1^/10

Kills process with taskkill 6 IoCs

evasion

Suspicious use of AdjustPrivilegeToken 6 IoCs

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1648	1740	cmd.exe	29
PID 1740 wrote to memory of 1648	1740	cmd.exe	29
PID 1740 wrote to memory of 1648	1740	cmd.exe	29
PID 1740 wrote to memory of 660	1740	cmd.exe	31
PID 1740 wrote to memory of 660	1740	cmd.exe	31
PID 1740 wrote to memory of 660	1740	cmd.exe	31
PID 1740 wrote to memory of 564	1740	cmd.exe	32
PID 1740 wrote to memory of 564	1740	cmd.exe	32
PID 1740 wrote to memory of 564	1740	cmd.exe	32
PID 1740 wrote to memory of 612	1740	cmd.exe	33
PID 1740 wrote to memory of 612	1740	cmd.exe	33
PID 1740 wrote to memory of 612	1740	cmd.exe	33
PID 1740 wrote to memory of 860	1740	cmd.exe	34
PID 1740 wrote to memory of 860	1740	cmd.exe	34
PID 1740 wrote to memory of 860	1740	cmd.exe	34
PID 1740 wrote to memory of 1520	1740	cmd.exe	35
PID 1740 wrote to memory of 1520	1740	cmd.exe	35
PID 1740 wrote to memory of 1520	1740	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CCDisk (v2021.02.19)\STOP_ALL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccboot.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccboot.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccdisk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccdisk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\System32\taskkill.exe
  taskkill /IM icafemenuserver.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\taskkill.exe
  taskkill /IM icafemenuserver.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520