ad1ee56c283fb3af21c4f2e92b7d5d4e41e6513fcb2cc5daf143cb75d79fb6d4

Resubmissions

27-11-2024 09:42

01-04-2023 15:23

01-04-2023 15:20

max time kernel
122s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 15:23

Target

RE4T Folder/bin/reatcommands.bat
Size

2KB
MD5

122906d25ccc0da20a03c1781d397357
SHA1

9ae5221b938123b79b852d40607703ad48bd8885
SHA256

77f273ed8e612d9df5ce5c55261bd279d528699274373093cf302c765aca2a65
SHA512

1e40def2b860f6394f901d7cbcf54c402531e9952f9ef6338ec0e8c870f3b83e4787f3051c4d3fe7eab9a5e25465158977114409e03f053057771778dac842ac

Score

1^/10

Kills process with taskkill 1 IoCs

evasion

pid	Process
4172	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4172	1404	cmd.exe	84
PID 1404 wrote to memory of 4172	1404	cmd.exe	84
PID 1404 wrote to memory of 4420	1404	cmd.exe	85
PID 1404 wrote to memory of 4420	1404	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RE4T Folder\bin\reatcommands.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Windows\system32\cscript.exe
  CSCRIPT //nologo "C:\Users\Admin\AppData\Local\Temp\~tmpSendKeysTemp.vbs"
  2⤵
  PID:4420

C:\Users\Admin\AppData\Local\Temp\~tmpSendKeysTemp.vbs

Filesize
216B

MD5
0b8c469ceec9ea2bc321274a72a04c89

SHA1
8cb7e2500a9a4d1c48d4337adcaee7eeb978058a

SHA256
e27fd479fa6fdc623b3180a5abaa300b8f9eca639bba48dba7c332c49c6f5adb

SHA512
9c23d34b1f7a0577735f529efeeef090218d6b0228802e0d97f629586ae62059b0e955efa95c19244cdab7cae2a5f09f863cc28c6eaff80c9dcc292b1e0ef3b0

Download Submit