892043f3b79d937ac74943bee419135aaf64370b627313c4efd0919bcdbace62

Analysis

max time kernel
1s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 09:08

Target

KernelOS21H2 (2).bat
Size

38KB
MD5

b2c39c94a67e89dc4a633889f0575650
SHA1

e8dc50ebfb34dfef62a83b328e4e5f61e6bc3a49
SHA256

892043f3b79d937ac74943bee419135aaf64370b627313c4efd0919bcdbace62
SHA512

7222655c44c39101c863ca95d862072abcd3c0eb28944301bb8c256f25bdb103d841df63f7af9d473656e8fa22985ba7fb9f80870abae55bf7a24ac5bba4799f
SSDEEP

768:+TOLfw09oGDbfrdAUY5eCNldf2BWt9vOjfEv+/ZcbXmB9ofdfv3h8f+q1wqk:iku

Score

1^/10

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1748 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1592 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1752 powershell.exe
1752 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1592 taskkill.exe
Token: SeDebugPrivilege 1752 powershell.exe

pid	process
1748	timeout.exe

pid	process
1592	taskkill.exe

pid	process
1752	powershell.exe
1752	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.execmd.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 2024	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 2024	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 2024	1920	cmd.exe	cmd.exe
PID 2024 wrote to memory of 1512	2024	cmd.exe	chcp.com
PID 2024 wrote to memory of 1512	2024	cmd.exe	chcp.com
PID 2024 wrote to memory of 1512	2024	cmd.exe	chcp.com
PID 1920 wrote to memory of 1520	1920	cmd.exe	chcp.com
PID 1920 wrote to memory of 1520	1920	cmd.exe	chcp.com
PID 1920 wrote to memory of 1520	1920	cmd.exe	chcp.com
PID 1920 wrote to memory of 1380	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1380	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1380	1920	cmd.exe	cmd.exe
PID 1380 wrote to memory of 1592	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1592	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1592	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1752	1380	cmd.exe	powershell.exe
PID 1380 wrote to memory of 1752	1380	cmd.exe	powershell.exe
PID 1380 wrote to memory of 1752	1380	cmd.exe	powershell.exe
PID 1380 wrote to memory of 1748	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 1748	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 1748	1380	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1748

memory/1752-58-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1752-59-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1752-60-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1752-61-0x00000000028AB000-0x00000000028E2000-memory.dmp

Filesize
220KB

Download