9f4189a5317da63ebdd502c9a26f9f4f7661d4354f83c3be36e60a33fa93a067

Analysis

max time kernel
27s
max time network
74s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
21/02/2024, 15:27

Target

data/flutter_assets/assets/build/stop.bat
Size

51B
MD5

436d2761b340d602ecea89246c1f304b
SHA1

0ea7cde3ed0000cf0a23c63065b05cd41b4630bc
SHA256

ce49ee1e5e182a6ee94585a9957928470cd22ec66847df96daa2c7dea3f94753
SHA512

71f676f597d0426ab668441744c59f1e07eb25466157cc9be20d28c4eed01e9037144ad2a2e4f74182158fb07be3c1fb0dcd3138e801b00be8cd9bb8e5325148

Score

1^/10

Kills process with taskkill 2 IoCs

evasion

pid	Process
3452	taskkill.exe
764	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 764	2520	cmd.exe	75
PID 2520 wrote to memory of 764	2520	cmd.exe	75
PID 2520 wrote to memory of 3452	2520	cmd.exe	77
PID 2520 wrote to memory of 3452	2520	cmd.exe	77

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\data\flutter_assets\assets\build\stop.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\taskkill.exe
  taskkill /f /im winrar.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\system32\taskkill.exe
  taskkill /f /im tar.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3452