52fe4c7867042a5e60df8e2d74ac9fff51d906374ba3d7299c0ee8bc46f59529

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 16:54

Target

Public/run.bat
Size

15KB
MD5

dc3e558fcc4e091a57ed9eafc47db270
SHA1

acf2de4e069dda1de34866cb5d953efeb6d50455
SHA256

17a08894935a660cae3bb1b5bcb3c55984138b7f46e5fae038c8482830618226
SHA512

365d2cbe3e6b60e34578ebc228d7715d893b15e9d893b18194d947fa2e1b5163c990873821ce85a964e67fb03ad84666119f62a978f5535a9b17b1487e535ed2
SSDEEP

192:XkZPtqxvl6V1pWhirR1mTCX1ww7CvFTm13Tvo4H45nZuejKkw7Q6fgXc9cb:UpOAVysO0QvU9Q4n1g7

Score

1^/10

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1280	4644	cmd.exe	88
PID 4644 wrote to memory of 1280	4644	cmd.exe	88
PID 4644 wrote to memory of 1280	4644	cmd.exe	88
PID 4644 wrote to memory of 4640	4644	cmd.exe	92
PID 4644 wrote to memory of 4640	4644	cmd.exe	92
PID 4644 wrote to memory of 4640	4644	cmd.exe	92
PID 4640 wrote to memory of 5024	4640	adb.exe	93
PID 4640 wrote to memory of 5024	4640	adb.exe	93
PID 4640 wrote to memory of 5024	4640	adb.exe	93
PID 4644 wrote to memory of 4684	4644	cmd.exe	96
PID 4644 wrote to memory of 4684	4644	cmd.exe	96
PID 4684 wrote to memory of 3288	4684	cmd.exe	97
PID 4684 wrote to memory of 3288	4684	cmd.exe	97
PID 4684 wrote to memory of 3288	4684	cmd.exe	97
PID 4644 wrote to memory of 640	4644	cmd.exe	98
PID 4644 wrote to memory of 640	4644	cmd.exe	98
PID 640 wrote to memory of 2324	640	cmd.exe	99
PID 640 wrote to memory of 2324	640	cmd.exe	99
PID 640 wrote to memory of 2324	640	cmd.exe	99
PID 4644 wrote to memory of 4044	4644	cmd.exe	102
PID 4644 wrote to memory of 4044	4644	cmd.exe	102
PID 4044 wrote to memory of 4936	4044	cmd.exe	101
PID 4044 wrote to memory of 4936	4044	cmd.exe	101
PID 4044 wrote to memory of 4936	4044	cmd.exe	101
PID 4044 wrote to memory of 740	4044	cmd.exe	100
PID 4044 wrote to memory of 740	4044	cmd.exe	100
PID 4644 wrote to memory of 1404	4644	cmd.exe	104
PID 4644 wrote to memory of 1404	4644	cmd.exe	104
PID 1404 wrote to memory of 1336	1404	cmd.exe	103
PID 1404 wrote to memory of 1336	1404	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Public\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\Public\tools\adb.exe
  tools\adb kill-server
  2⤵
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\Public\tools\adb.exe
  tools\adb start-server
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\Public\tools\adb.exe
    adb fork-server server
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tools\adb devices
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\Public\tools\adb.exe
    tools\adb devices
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tools\fastboot devices
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\Public\tools\fastboot.exe
    tools\fastboot devices
    3⤵
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tools\adb shell idme ? | find /I "bootmode"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\Public\run.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404

C:\Users\Admin\AppData\Local\Temp\Public\tools\adb.exe
tools\adb shell idme ?
1⤵
PID:4936

C:\Windows\system32\findstr.exe
findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\Public\run.bat"
1⤵
PID:1336

memory/2324-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download