708c3a754f66c7ea424f1853f6076fd19434f729efff1c7ca5f68c76648f9ca3

Analysis

max time kernel
82s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 14:09

Target

CCDisk (v2021.02.19)/STOP_ALL.bat
Size

226B
MD5

8b9abbd78e36c4469d8e64f5ca425917
SHA1

aaa5d00f34e29b83fa02d8dcac56d821eb1a70bc
SHA256

7c7ab179f5761666b1ea88917f0765d0bc043077fe09b64407f11f148a420f8e
SHA512

03da1c42a86b02514e82c4490705d55f5f2909bbff60795ed275b335fcef2c5884b66003962b0e23bd49a04437fcd9a8c32aa118400b4109c49506c5b65e96ae

Score

1^/10

Kills process with taskkill 6 IoCs

evasion

Suspicious use of AdjustPrivilegeToken 6 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1840	1808	cmd.exe	88
PID 1808 wrote to memory of 1840	1808	cmd.exe	88
PID 1808 wrote to memory of 4268	1808	cmd.exe	89
PID 1808 wrote to memory of 4268	1808	cmd.exe	89
PID 1808 wrote to memory of 436	1808	cmd.exe	90
PID 1808 wrote to memory of 436	1808	cmd.exe	90
PID 1808 wrote to memory of 3136	1808	cmd.exe	91
PID 1808 wrote to memory of 3136	1808	cmd.exe	91
PID 1808 wrote to memory of 1496	1808	cmd.exe	92
PID 1808 wrote to memory of 1496	1808	cmd.exe	92
PID 1808 wrote to memory of 1856	1808	cmd.exe	93
PID 1808 wrote to memory of 1856	1808	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CCDisk (v2021.02.19)\STOP_ALL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccboot.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccboot.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccdisk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\taskkill.exe
  taskkill /IM ccdisk.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\taskkill.exe
  taskkill /IM icafemenuserver.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\taskkill.exe
  taskkill /IM icafemenuserver.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856