99dda908d9a3c3e697a9b2a42b765ca60ae5b404ffb651312ac8e2ddab9ef9fc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 13:23

Target

FindDuquRunme.bat
Size

150B
MD5

eaeae4eab186eb700da1169e8134a054
SHA1

c188e715e860535363c39adbdedae0179eb976e9
SHA256

dff42118e67c38ffec2192aa44ed3407848e2ddeb429bf662e2bf4db708cef5d
SHA512

2b2cc16aa82e098231366ceea7f47c6fce5a39cf1ef703f7df9c7be88a97ad7c14b18f575cfd1933c849ede6d1a6c77db90cf9239434b848f9056080064d1fc4

Score

1^/10

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1624	3012	cmd.exe	21
PID 3012 wrote to memory of 1624	3012	cmd.exe	21
PID 3012 wrote to memory of 1624	3012	cmd.exe	21
PID 3012 wrote to memory of 1624	3012	cmd.exe	21
PID 3012 wrote to memory of 2936	3012	cmd.exe	23
PID 3012 wrote to memory of 2936	3012	cmd.exe	23
PID 3012 wrote to memory of 2936	3012	cmd.exe	23
PID 3012 wrote to memory of 2936	3012	cmd.exe	23
PID 3012 wrote to memory of 3036	3012	cmd.exe	22
PID 3012 wrote to memory of 3036	3012	cmd.exe	22
PID 3012 wrote to memory of 3036	3012	cmd.exe	22
PID 3012 wrote to memory of 3036	3012	cmd.exe	22
PID 3012 wrote to memory of 2328	3012	cmd.exe	32
PID 3012 wrote to memory of 2328	3012	cmd.exe	32
PID 3012 wrote to memory of 2328	3012	cmd.exe	32
PID 3012 wrote to memory of 2328	3012	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\FindDuquRunme.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\FindDuquSys.exe
  FindDuquSys.exe .\duqudetector_log.txt
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\FindPNFnoINF.exe
  FindPNFnoINF.exe .\duqudetector_log.txt
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\FindDuquTmp.exe
  FindDuquTmp.exe .\duqudetector_log.txt
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\CalcPNFEntropy.exe
  CalcPNFEntropy.exe .\duqudetector_log.txt
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328

C:\Users\Admin\AppData\Local\Temp\duqudetector_log.txt

Filesize
466B

MD5
165a1eabe8d07d2b29be58045c7bcbbd

SHA1
5d0039fff8cbd5c58ee93a664ec6529136e2bfdf

SHA256
090bc1939ff88e1ee0219a36a491aabf0974eeb553be8feb52964f3dcc2c7e65

SHA512
c4ef2470d0f046d3267fc17618b9bec3aa4089dce4e757a4f1a983fd43b631e92cb005ffa986d731bb1c1ad270f283ee5904d96c8791591563c31832ee15587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duqudetector_log.txt

Filesize
568B

MD5
f2a58e19bd3b9d40cb4c8ab8a0f8f287

SHA1
1ee99464b8105f9383bc984bdb5a408417dc56e6

SHA256
e13da5c1c1f39fd54924c40c6bb8a7d631aa3c2869d399949e8a3ad0f5971ee8

SHA512
e68c67441a03594529b6281168c06230173f0d27934c6474fd539fd4afcd31ebfeccd69f44377f5f8430755ed693b5c4d8cf2e50f8960059a3799614ec657227

Download Submit
C:\Users\Admin\AppData\Local\Temp\duqudetector_log.txt

Filesize
674B

MD5
16e56d5f83ca5cefffcd95c2f0f70c83

SHA1
5e19119f084d0c970140aa7b7acfc99792172d65

SHA256
0e0f4cd37e81effa180aecc35967c7ef83bdd5752180959969040679049c8f60

SHA512
86567163b3d5e8b3669800aa50c3987c82d7b78549e9675360574bf989a89c0778dc1d1f2022bbcf61cb0175b9363412f0a11090601524c7726db6d0cc34d841

Download Submit