10273efcac023d59fc68901d4d4fcf3ca59858fbca92ffb81243ccd49784218d | Triage

Analysis

max time kernel
17s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-03-2023 16:07

Sharing

Report Analysis Logs

General

Target

GDHM_TASBOT_v35.6/.GDHM/.GDHM_uninstall.bat
Size

2KB
MD5

2a6ed9dcdc9f8be9f0173124590b3335
SHA1

5b55581b8328f4249785328e0ce8410d582f877a
SHA256

e9bfaecdc031524c25d7a981b3922a493c863380e1b0b34c77c5826b8f10b849
SHA512

b0c75206d2ff101d87f1106aabe7b4907304d56d01e8c16f2f4974a6fefda6f59a952563354c84b700af9f89093eb683c15af17afa6f0cb76775b514abe5a930

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 828 wrote to memory of 2008	828	cmd.exe	reg.exe
PID 828 wrote to memory of 2008	828	cmd.exe	reg.exe
PID 828 wrote to memory of 2008	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1476	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1476	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1476	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1756	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1756	828	cmd.exe	reg.exe
PID 828 wrote to memory of 1756	828	cmd.exe	reg.exe
PID 828 wrote to memory of 872	828	cmd.exe	reg.exe
PID 828 wrote to memory of 872	828	cmd.exe	reg.exe
PID 828 wrote to memory of 872	828	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GDHM_TASBOT_v35.6\.GDHM\.GDHM_uninstall.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\gdhm\ /f
2⤵
PID:2008

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\gdhm\shell\ /f
2⤵
PID:1476

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\gdhm\shell\open\ /f
2⤵
PID:1756

C:\Windows\system32\reg.exe
reg delete HKEY_CLASSES_ROOT\gdhm\shell\open\command\ /f
2⤵
PID:872

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...