05c740253af5337a1e4803e3d4b6a48f8696ace1622ec6ba5d275a3d8d5808e8

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:11

Target

recovery.bat
Size

1KB
MD5

ce7e3f687cd0e0c822bce6cd3038eb0e
SHA1

e05a0d6552f6e88cbdac4a0500cf9ef9f4baafa9
SHA256

05c740253af5337a1e4803e3d4b6a48f8696ace1622ec6ba5d275a3d8d5808e8
SHA512

90d4cdcd801251f5e38b6bd40fabf59372aef8da30278f5e8bd69e8db9d506e62d64e25de2cb1aa75994d981fc52b3733b272a937d927bf5cb80eb9f3a50415b

Score

1^/10

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4104	1280	cmd.exe	89
PID 1280 wrote to memory of 4104	1280	cmd.exe	89
PID 1280 wrote to memory of 1736	1280	cmd.exe	90
PID 1280 wrote to memory of 1736	1280	cmd.exe	90
PID 1280 wrote to memory of 3024	1280	cmd.exe	91
PID 1280 wrote to memory of 3024	1280	cmd.exe	91
PID 1280 wrote to memory of 3936	1280	cmd.exe	93
PID 1280 wrote to memory of 3936	1280	cmd.exe	93
PID 1280 wrote to memory of 1808	1280	cmd.exe	94
PID 1280 wrote to memory of 1808	1280	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\recovery.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.enc"
  2⤵
  PID:4104
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4626.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4626.txt.enc"
  2⤵
  PID:1736
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI465D.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI465D.txt.enc"
  2⤵
  PID:3024
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4626.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4626.txt.enc"
  2⤵
  PID:3936
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI465D.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI465D.txt.enc"
  2⤵
  PID:1808