d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

max time kernel
468s
max time network
472s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Target

Executables/COPYDESKTOP.cmd
Size

272B
MD5

9f363cdcd66c05de634c0680a8b61a4f
SHA1

121f7c9e4de68198d5f13e3f5d17e02eca53fc8b
SHA256

05c7b343b863e81283f95a8c83cebce87798b9b9c8fc99f7771496170a96c0c6
SHA512

a8dcc8c6f4dcfaf7e6a20adae0a50389dceaf72d62c0ab882e8f1fa92338e25d2dd5881e2b6f267b8a64ca5e9263e5c5061555140098d22d3f8c7a8cda311826

Score

1^/10

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3560	Robocopy.exe
Token: SeRestorePrivilege	3560	Robocopy.exe
Token: SeSecurityPrivilege	3560	Robocopy.exe
Token: SeTakeOwnershipPrivilege	3560	Robocopy.exe
Token: SeBackupPrivilege	4292	Robocopy.exe
Token: SeRestorePrivilege	4292	Robocopy.exe
Token: SeSecurityPrivilege	4292	Robocopy.exe
Token: SeTakeOwnershipPrivilege	4292	Robocopy.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1508	4412	cmd.exe	84
PID 4412 wrote to memory of 1508	4412	cmd.exe	84
PID 1508 wrote to memory of 4664	1508	cmd.exe	85
PID 1508 wrote to memory of 4664	1508	cmd.exe	85
PID 1508 wrote to memory of 4668	1508	cmd.exe	86
PID 1508 wrote to memory of 4668	1508	cmd.exe	86
PID 4412 wrote to memory of 3560	4412	cmd.exe	87
PID 4412 wrote to memory of 3560	4412	cmd.exe	87
PID 4412 wrote to memory of 4292	4412	cmd.exe	89
PID 4412 wrote to memory of 4292	4412	cmd.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\COPYDESKTOP.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a:d "C:\Users" | findstr /v /i /x /c:"Public" /c:"Default User" /c:"All Users"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b /a:d "C:\Users" "
    3⤵
    PID:4664
- - C:\Windows\system32\findstr.exe
    findstr /v /i /x /c:"Public" /c:"Default User" /c:"All Users"
    3⤵
    PID:4668
- C:\Windows\system32\Robocopy.exe
  robocopy "Atlas" "C:\Users\Admin\Desktop\Atlas" /e /purge /im /it /np
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\system32\Robocopy.exe
  robocopy "Atlas" "C:\Users\Default\Desktop\Atlas" /e /purge /im /it /np
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4292

C:\Users\Default\Desktop\Atlas\3. Configuration\4. Optional Tweaks\File Explorer Customization\Network Navigation Pane\Run With RunAsTI.lnk

Filesize
1KB

MD5
8047d69f07f9cc85afdbca0293a6af0e

SHA1
1b3c62746a33d84fba0fb094d57e0632a31869f4

SHA256
448292edc5b965daf630a4d2d654e2c2c9df49a009273d0a680be50180fb52c3

SHA512
48090617235d44831e00d4efd489da5fccb77bf447382116d801b5f68e9263345759d824e2e58a671c4cf0b61d536f659a1a94100154a5c235f21e416249d7cc

Download Submit