d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

max time kernel
500s
max time network
503s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Target

Executables/UPDHEALTH.cmd
Size

1KB
MD5

1b241a1abbaa55fee0cd88e7f9995f38
SHA1

37bbf721b8d8c8de79364891ea477a024a561fd3
SHA256

5b91efc5bdb2e642e50ad0c38cea03daeb8717a3905a4b8792ea9e09f13c9200
SHA512

f1a4000784eb459451a97bdb09e118cda3836a597b5b67ba1bc39fc5f7ddb6cbb26cd43e9e2a3be8203aad75f157a53e6ed4c1de3fe6c6505231b64c392c8868

Score

1^/10

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 32	2208	cmd.exe	84
PID 2208 wrote to memory of 32	2208	cmd.exe	84
PID 32 wrote to memory of 792	32	cmd.exe	85
PID 32 wrote to memory of 792	32	cmd.exe	85
PID 32 wrote to memory of 428	32	cmd.exe	86
PID 32 wrote to memory of 428	32	cmd.exe	86
PID 2208 wrote to memory of 4132	2208	cmd.exe	87
PID 2208 wrote to memory of 4132	2208	cmd.exe	87
PID 4132 wrote to memory of 4288	4132	cmd.exe	88
PID 4132 wrote to memory of 4288	4132	cmd.exe	88
PID 4132 wrote to memory of 4328	4132	cmd.exe	89
PID 4132 wrote to memory of 4328	4132	cmd.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\UPDHEALTH.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /d /f "Update Health Tools" /s | findstr /i /c:"CurrentVersion\Uninstall\\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /d /f "Update Health Tools" /s
    3⤵
    PID:792
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"CurrentVersion\Uninstall\\"
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCR\Installer\Products" /d /f "Update Health Tools" /s | findstr /i /c:"Installer\Products\\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKCR\Installer\Products" /d /f "Update Health Tools" /s
    3⤵
    PID:4288
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"Installer\Products\\"
    3⤵
    PID:4328