20092b0b534d5056c4f943c0fac89b1a98feb5ab71ac2e8b445a10b4429b9f98

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 01:20

Target

8157687eb625b9e783b8dbe8cf4d6173.bat
Size

1KB
MD5

8157687eb625b9e783b8dbe8cf4d6173
SHA1

1dde19b8b03353325c1edc16f4f93c504ec3db7f
SHA256

20092b0b534d5056c4f943c0fac89b1a98feb5ab71ac2e8b445a10b4429b9f98
SHA512

83852fdd32ba5d1caa647b73e195072359d5729c348feb88d8cd8ef70f4b804deb563d84f90c9a561afeaca0a67017011db549045099e01fa3d94da1dda17195

Score

1^/10

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2772	timeout.exe
2792	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2808	2036	cmd.exe	29
PID 2036 wrote to memory of 2808	2036	cmd.exe	29
PID 2036 wrote to memory of 2808	2036	cmd.exe	29
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2952	2808	cmd.exe	31
PID 2808 wrote to memory of 2616	2808	cmd.exe	32
PID 2808 wrote to memory of 2616	2808	cmd.exe	32
PID 2808 wrote to memory of 2616	2808	cmd.exe	32
PID 2616 wrote to memory of 1700	2616	cmd.exe	33
PID 2616 wrote to memory of 1700	2616	cmd.exe	33
PID 2616 wrote to memory of 1700	2616	cmd.exe	33
PID 2616 wrote to memory of 2988	2616	cmd.exe	34
PID 2616 wrote to memory of 2988	2616	cmd.exe	34
PID 2616 wrote to memory of 2988	2616	cmd.exe	34
PID 2808 wrote to memory of 2772	2808	cmd.exe	35
PID 2808 wrote to memory of 2772	2808	cmd.exe	35
PID 2808 wrote to memory of 2772	2808	cmd.exe	35
PID 2808 wrote to memory of 2792	2808	cmd.exe	36
PID 2808 wrote to memory of 2792	2808	cmd.exe	36
PID 2808 wrote to memory of 2792	2808	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\8157687eb625b9e783b8dbe8cf4d6173.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\script.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh wlan show profile | find " All User Profile :"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:1700
  - - C:\Windows\system32\find.exe
      find " All User Profile :"
      4⤵
      PID:2988
- - C:\Windows\system32\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2792

C:\Users\Admin\AppData\Local\Temp\script.cmd

Filesize
1KB

MD5
8157687eb625b9e783b8dbe8cf4d6173

SHA1
1dde19b8b03353325c1edc16f4f93c504ec3db7f

SHA256
20092b0b534d5056c4f943c0fac89b1a98feb5ab71ac2e8b445a10b4429b9f98

SHA512
83852fdd32ba5d1caa647b73e195072359d5729c348feb88d8cd8ef70f4b804deb563d84f90c9a561afeaca0a67017011db549045099e01fa3d94da1dda17195

Download Submit
memory/2952-7-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2952-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2952-9-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-10-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2952-11-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2952-13-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2952-12-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2952-14-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

Filesize
9.6MB

Download