124147553a430f22bb4774d2037fe27cd565b23043834ba283d5206c56a45a40

Analysis

max time kernel
190s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fzed.bat
Size

1KB
MD5

992baa48ee0f730e5cdf6e54585eae5c
SHA1

f440dc5f7e9256374de948a47dba122fda5c98f3
SHA256

124147553a430f22bb4774d2037fe27cd565b23043834ba283d5206c56a45a40
SHA512

6add67a9f9e06ea2e3a1137686ae53dec70769b9687b9a59aeaf015f0734a6dc2d254d87c6ace324157f0cd764aaf5431ae07b6802dd06f53d7642a11f221d41

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4532	448	cmd.exe	81
PID 448 wrote to memory of 4532	448	cmd.exe	81
PID 4532 wrote to memory of 4716	4532	net.exe	82
PID 4532 wrote to memory of 4716	4532	net.exe	82
PID 448 wrote to memory of 900	448	cmd.exe	83
PID 448 wrote to memory of 900	448	cmd.exe	83
PID 900 wrote to memory of 4348	900	net.exe	85
PID 900 wrote to memory of 4348	900	net.exe	85
PID 448 wrote to memory of 1500	448	cmd.exe	86
PID 448 wrote to memory of 1500	448	cmd.exe	86
PID 1500 wrote to memory of 2112	1500	net.exe	87
PID 1500 wrote to memory of 2112	1500	net.exe	87
PID 448 wrote to memory of 4840	448	cmd.exe	88
PID 448 wrote to memory of 4840	448	cmd.exe	88
PID 4840 wrote to memory of 5044	4840	net.exe	89
PID 4840 wrote to memory of 5044	4840	net.exe	89
PID 448 wrote to memory of 1348	448	cmd.exe	90
PID 448 wrote to memory of 1348	448	cmd.exe	90
PID 1348 wrote to memory of 844	1348	net.exe	91
PID 1348 wrote to memory of 844	1348	net.exe	91
PID 448 wrote to memory of 2808	448	cmd.exe	92
PID 448 wrote to memory of 2808	448	cmd.exe	92
PID 2808 wrote to memory of 4800	2808	net.exe	93
PID 2808 wrote to memory of 4800	2808	net.exe	93
PID 448 wrote to memory of 2008	448	cmd.exe	94
PID 448 wrote to memory of 2008	448	cmd.exe	94
PID 2008 wrote to memory of 4444	2008	net.exe	95
PID 2008 wrote to memory of 4444	2008	net.exe	95
PID 448 wrote to memory of 1664	448	cmd.exe	96
PID 448 wrote to memory of 1664	448	cmd.exe	96
PID 1664 wrote to memory of 3144	1664	net.exe	97
PID 1664 wrote to memory of 3144	1664	net.exe	97
PID 448 wrote to memory of 2100	448	cmd.exe	99
PID 448 wrote to memory of 2100	448	cmd.exe	99
PID 2100 wrote to memory of 4528	2100	net.exe	98
PID 2100 wrote to memory of 4528	2100	net.exe	98
PID 448 wrote to memory of 5108	448	cmd.exe	100
PID 448 wrote to memory of 5108	448	cmd.exe	100
PID 5108 wrote to memory of 2956	5108	net.exe	101
PID 5108 wrote to memory of 2956	5108	net.exe	101
PID 448 wrote to memory of 5056	448	cmd.exe	102
PID 448 wrote to memory of 5056	448	cmd.exe	102
PID 5056 wrote to memory of 5076	5056	net.exe	103
PID 5056 wrote to memory of 5076	5056	net.exe	103
PID 448 wrote to memory of 5008	448	cmd.exe	104
PID 448 wrote to memory of 5008	448	cmd.exe	104
PID 5008 wrote to memory of 4116	5008	net.exe	105
PID 5008 wrote to memory of 4116	5008	net.exe	105
PID 448 wrote to memory of 5012	448	cmd.exe	106
PID 448 wrote to memory of 5012	448	cmd.exe	106
PID 5012 wrote to memory of 5068	5012	net.exe	107
PID 5012 wrote to memory of 5068	5012	net.exe	107
PID 448 wrote to memory of 1868	448	cmd.exe	108
PID 448 wrote to memory of 1868	448	cmd.exe	108
PID 1868 wrote to memory of 3516	1868	net.exe	109
PID 1868 wrote to memory of 3516	1868	net.exe	109
PID 448 wrote to memory of 4432	448	cmd.exe	110
PID 448 wrote to memory of 4432	448	cmd.exe	110
PID 4432 wrote to memory of 1020	4432	net.exe	111
PID 4432 wrote to memory of 1020	4432	net.exe	111
PID 448 wrote to memory of 400	448	cmd.exe	112
PID 448 wrote to memory of 400	448	cmd.exe	112
PID 400 wrote to memory of 4140	400	net.exe	113
PID 400 wrote to memory of 4140	400	net.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fzed.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\net.exe
  net share c$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share c$ /delete /y
    3⤵
    PID:4716
- C:\Windows\system32\net.exe
  net share ipc$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share ipc$ /delete /y
    3⤵
    PID:4348
- C:\Windows\system32\net.exe
  net share admin$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share admin$ /delete /y
    3⤵
    PID:2112
- C:\Windows\system32\net.exe
  net share d$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share d$ /delete /y
    3⤵
    PID:5044
- C:\Windows\system32\net.exe
  net share e$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share e$ /delete /y
    3⤵
    PID:844
- C:\Windows\system32\net.exe
  net share f$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share f$ /delete /y
    3⤵
    PID:4800
- C:\Windows\system32\net.exe
  net share g$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share g$ /delete /y
    3⤵
    PID:4444
- C:\Windows\system32\net.exe
  net share h$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share h$ /delete /y
    3⤵
    PID:3144
- C:\Windows\system32\net.exe
  net share i$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- C:\Windows\system32\net.exe
  net share j$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share j$ /delete /y
    3⤵
    PID:2956
- C:\Windows\system32\net.exe
  net share k$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share k$ /delete /y
    3⤵
    PID:5076
- C:\Windows\system32\net.exe
  net share l$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share l$ /delete /y
    3⤵
    PID:4116
- C:\Windows\system32\net.exe
  net share m$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share m$ /delete /y
    3⤵
    PID:5068
- C:\Windows\system32\net.exe
  net share n$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share n$ /delete /y
    3⤵
    PID:3516
- C:\Windows\system32\net.exe
  net share o$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share o$ /delete /y
    3⤵
    PID:1020
- C:\Windows\system32\net.exe
  net share p$ /delete /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share p$ /delete /y
    3⤵
    PID:4140
- C:\Windows\system32\net.exe
  net share r$ /delete /y
  2⤵
  PID:4760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share r$ /delete /y
    3⤵
    PID:3692
- C:\Windows\system32\net.exe
  net share s$ /delete /y
  2⤵
  PID:4952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share s$ /delete /y
    3⤵
    PID:2532
- C:\Windows\system32\net.exe
  net share t$ /delete /y
  2⤵
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share t$ /delete /y
    3⤵
    PID:2692
- C:\Windows\system32\net.exe
  net share u$ /delete /y
  2⤵
  PID:4636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share u$ /delete /y
    3⤵
    PID:316
- C:\Windows\system32\net.exe
  net share v$ /delete /y
  2⤵
  PID:4380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share v$ /delete /y
    3⤵
    PID:3192
- C:\Windows\system32\net.exe
  net share w$ /delete /y
  2⤵
  PID:4828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share w$ /delete /y
    3⤵
    PID:4908
- C:\Windows\system32\net.exe
  net share x$ /delete /y
  2⤵
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share x$ /delete /y
    3⤵
    PID:1536
- C:\Windows\system32\net.exe
  net share y$ /delete /y
  2⤵
  PID:3244
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share y$ /delete /y
    3⤵
    PID:328
- C:\Windows\system32\net.exe
  net share z$ /delete /y
  2⤵
  PID:4120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share z$ /delete /y
    3⤵
    PID:4148
- C:\Windows\system32\net.exe
  net share print$ /delete /y
  2⤵
  PID:4364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share print$ /delete /y
    3⤵
    PID:1572
- C:\Windows\system32\net.exe
  net share My Documents /delete /y
  2⤵
  PID:1524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share My Documents /delete /y
    3⤵
    PID:2412
- C:\Windows\system32\net.exe
  net share Shared Docs /delete /y
  2⤵
  PID:1416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share Shared Docs /delete /y
    3⤵
    PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share i$ /delete /y
1⤵
PID:4528

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads