83b8a52adde102c118a5c8a47fc9e83155601e0ab423b1887fa68a5e34cce1e6

Analysis

max time kernel
1s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Пак/Специальн. твики/Network_Tweaks.bat
Size

3KB
MD5

257c9ccd5fa59498dbfcf75b07f30a73
SHA1

cd333e7847a91200d7281bc6d14f864908b1acfd
SHA256

d0a0f15415723601124794ccf93271fb5fac14b7c00c160dbddb7794968e802f
SHA512

26ebdc68c18a3006972030e32b05b69a9d949e10a312833818749aa109065f359a5eb5346d8ffe6c99dc3fc98f55aa7d384247d3e9fd3166605bbe901e4033f7

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1596	1740	cmd.exe	29
PID 1740 wrote to memory of 1596	1740	cmd.exe	29
PID 1740 wrote to memory of 1596	1740	cmd.exe	29
PID 1740 wrote to memory of 2248	1740	cmd.exe	30
PID 1740 wrote to memory of 2248	1740	cmd.exe	30
PID 1740 wrote to memory of 2248	1740	cmd.exe	30
PID 1740 wrote to memory of 2664	1740	cmd.exe	31
PID 1740 wrote to memory of 2664	1740	cmd.exe	31
PID 1740 wrote to memory of 2664	1740	cmd.exe	31
PID 1740 wrote to memory of 2772	1740	cmd.exe	32
PID 1740 wrote to memory of 2772	1740	cmd.exe	32
PID 1740 wrote to memory of 2772	1740	cmd.exe	32
PID 1740 wrote to memory of 3040	1740	cmd.exe	33
PID 1740 wrote to memory of 3040	1740	cmd.exe	33
PID 1740 wrote to memory of 3040	1740	cmd.exe	33
PID 1740 wrote to memory of 2364	1740	cmd.exe	34
PID 1740 wrote to memory of 2364	1740	cmd.exe	34
PID 1740 wrote to memory of 2364	1740	cmd.exe	34
PID 1740 wrote to memory of 2756	1740	cmd.exe	35
PID 1740 wrote to memory of 2756	1740	cmd.exe	35
PID 1740 wrote to memory of 2756	1740	cmd.exe	35
PID 1740 wrote to memory of 2968	1740	cmd.exe	36
PID 1740 wrote to memory of 2968	1740	cmd.exe	36
PID 1740 wrote to memory of 2968	1740	cmd.exe	36
PID 1740 wrote to memory of 2728	1740	cmd.exe	37
PID 1740 wrote to memory of 2728	1740	cmd.exe	37
PID 1740 wrote to memory of 2728	1740	cmd.exe	37
PID 1740 wrote to memory of 2556	1740	cmd.exe	38
PID 1740 wrote to memory of 2556	1740	cmd.exe	38
PID 1740 wrote to memory of 2556	1740	cmd.exe	38
PID 1740 wrote to memory of 2616	1740	cmd.exe	39
PID 1740 wrote to memory of 2616	1740	cmd.exe	39
PID 1740 wrote to memory of 2616	1740	cmd.exe	39
PID 1740 wrote to memory of 2300	1740	cmd.exe	40
PID 1740 wrote to memory of 2300	1740	cmd.exe	40
PID 1740 wrote to memory of 2300	1740	cmd.exe	40
PID 1740 wrote to memory of 2216	1740	cmd.exe	41
PID 1740 wrote to memory of 2216	1740	cmd.exe	41
PID 1740 wrote to memory of 2216	1740	cmd.exe	41

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Пак\Специальн. твики\Network_Tweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  PID:1596
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:2248
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  PID:2664
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  PID:2772
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  PID:3040
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rss=enabled
  2⤵
  PID:2364
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  PID:2756
- C:\Windows\system32\netsh.exe
  netsh int tcp set global initialRto=2000
  2⤵
  PID:2968
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  PID:2728
- C:\Windows\system32\netsh.exe
  netsh int tcp set global maxsynretransmissions=2
  2⤵
  PID:2556
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled
  2⤵
  PID:2616
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  PID:2300
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  PID:2216
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -MinRto 300"
  2⤵
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -InitialCongestionWindow 10"
  2⤵
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetOffloadGlobalSetting -Chimney Disabled"
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "1" /f
  2⤵
  PID:488
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MinSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:2524
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:2076
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:2208
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{014DEDBE-9F72-44DF-8525-48012FE65E9F}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{014DEDBE-9F72-44DF-8525-48012FE65E9F}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:1732
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{014DEDBE-9F72-44DF-8525-48012FE65E9F}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:1272
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:1316
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:628
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:1296
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MaxSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "UseDelayedAcceptance" /t REG_DWORD /d "0" /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "30" /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
  2⤵
  PID:968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
  2⤵
  PID:576
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
  2⤵
  PID:700

C:\Windows\system32\findstr.exe
findstr "{"
1⤵
PID:1680

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
1⤵
PID:772

C:\Windows\system32\findstr.exe
findstr "{"
1⤵
PID:564

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
1⤵
PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-32-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-33-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2816-34-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-35-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2816-38-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-36-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2816-37-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2908-24-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2908-23-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2908-25-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2908-26-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-20-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2908-21-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2908-18-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2908-19-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-22-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-12-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-4-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2980-5-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-7-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2980-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2980-9-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2980-11-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2980-10-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2980-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads