cb7653191edd27c793fd241dd0b88ae1a17862a75e3528ecc33cbca6c3ea55c6

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 19:00

Target

Batlez-Tweaks-main/Batlez Tweaks.bat
Size

55KB
MD5

02914e5ea9da3333c04c705db74e20cb
SHA1

f4ad17376a265bf573f86a8826d8af363efc8959
SHA256

39f3b2b47116bd2b48a9fda34127fba4eab186ffe11ff10e6acbfd4e55c5d644
SHA512

1482f2680033cafb219dcc9bd1cef365b437ddeaa76fc8452813af304c4343e967e5f78cb67db8ff18dbf41aff6b051342cf1960ea45b3c0b196912525080d67
SSDEEP

384:GPHNQNPJqyBO3Ba8f5BYkQzfBD9J27wYoFW5C0jnr9Q/GjviHcZgIgCbjrCEMa5D:mOl9BEBl1QztChRtht1MF+VSnU0u

Score

1^/10

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2692	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1952	1736	cmd.exe	29
PID 1736 wrote to memory of 1952	1736	cmd.exe	29
PID 1736 wrote to memory of 1952	1736	cmd.exe	29
PID 1952 wrote to memory of 2804	1952	powershell.exe	30
PID 1952 wrote to memory of 2804	1952	powershell.exe	30
PID 1952 wrote to memory of 2804	1952	powershell.exe	30
PID 2804 wrote to memory of 2364	2804	cmd.exe	32
PID 2804 wrote to memory of 2364	2804	cmd.exe	32
PID 2804 wrote to memory of 2364	2804	cmd.exe	32
PID 2804 wrote to memory of 2692	2804	cmd.exe	33
PID 2804 wrote to memory of 2692	2804	cmd.exe	33
PID 2804 wrote to memory of 2692	2804	cmd.exe	33
PID 2804 wrote to memory of 2712	2804	cmd.exe	34
PID 2804 wrote to memory of 2712	2804	cmd.exe	34
PID 2804 wrote to memory of 2712	2804	cmd.exe	34
PID 2804 wrote to memory of 2776	2804	cmd.exe	35
PID 2804 wrote to memory of 2776	2804	cmd.exe	35
PID 2804 wrote to memory of 2776	2804	cmd.exe	35
PID 2804 wrote to memory of 3012	2804	cmd.exe	36
PID 2804 wrote to memory of 3012	2804	cmd.exe	36
PID 2804 wrote to memory of 3012	2804	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Batlez-Tweaks-main\Batlez Tweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\Batlez-Tweaks-main\Batlez Tweaks.bat"' am_admin
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Batlez-Tweaks-main\Batlez Tweaks.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2364
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2692
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2712
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2776
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3012

memory/1952-4-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1952-5-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1952-6-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1952-7-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/1952-8-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1952-9-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1952-10-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1952-11-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download