430563c836c9fdf1cb2f63d0d349110b3c717735283ba07b2b70dcaebfdd4aed

Analysis

max time kernel
54s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 18:39

Target

MAS/Separate-Files-Version/Troubleshoot.cmd
Size

42KB
MD5

2d877ef8736f2023e6431cbf8b8c6e0c
SHA1

23d28dbdeda0dc6cfc6b59549b512b2d0ed6574d
SHA256

2ed0c5f3b399618f3e54d47e2028583fa3e456346395cc90027cb817b1143fd4
SHA512

a5af924d61518ad97e4ed7c6bcb6d8acdaf6644fa4dac538cfa23ed790ebaeba4dc06818605276f2c7c1e60017d77cf4692b3b389bbda1dad077ed29a954389d
SSDEEP

768:KYZi6jI+By2jDDBWr7ntf7BhI3XBlOLq4ZnrsxpjN:KD+ByCsFVhI3XC7A

Score

4^/10

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4548	sc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4548	3036	cmd.exe	31
PID 3036 wrote to memory of 4548	3036	cmd.exe	31
PID 3036 wrote to memory of 4272	3036	cmd.exe	22
PID 3036 wrote to memory of 4272	3036	cmd.exe	22
PID 3036 wrote to memory of 220	3036	cmd.exe	21
PID 3036 wrote to memory of 220	3036	cmd.exe	21
PID 3036 wrote to memory of 1220	3036	cmd.exe	30
PID 3036 wrote to memory of 1220	3036	cmd.exe	30
PID 3036 wrote to memory of 4020	3036	cmd.exe	29
PID 3036 wrote to memory of 4020	3036	cmd.exe	29
PID 3036 wrote to memory of 2532	3036	cmd.exe	28
PID 3036 wrote to memory of 2532	3036	cmd.exe	28
PID 3036 wrote to memory of 4784	3036	cmd.exe	23
PID 3036 wrote to memory of 4784	3036	cmd.exe	23
PID 4784 wrote to memory of 1976	4784	cmd.exe	27
PID 4784 wrote to memory of 1976	4784	cmd.exe	27
PID 4784 wrote to memory of 5040	4784	cmd.exe	26
PID 4784 wrote to memory of 5040	4784	cmd.exe	26
PID 3036 wrote to memory of 5084	3036	cmd.exe	24
PID 3036 wrote to memory of 5084	3036	cmd.exe	24
PID 3036 wrote to memory of 4804	3036	cmd.exe	25
PID 3036 wrote to memory of 4804	3036	cmd.exe	25

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS\Separate-Files-Version\Troubleshoot.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\findstr.exe
  findstr /v "$" "Troubleshoot.cmd"
  2⤵
  PID:220
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS\Separate-Files-Version\Troubleshoot.cmd" "
  2⤵
  PID:5084
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:4804
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2532
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1220
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:4548