89fe592e5b40bdd0ff3850893f50d3e178efa6bfaeb7dc64fba4a7d3841327a2

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:12

Target

yes.bat
Size

4KB
MD5

0ce7a6b2c21f3f15472a20687662625e
SHA1

93d69bad32ba246f22ea02a5f5696c34aea292c0
SHA256

89fe592e5b40bdd0ff3850893f50d3e178efa6bfaeb7dc64fba4a7d3841327a2
SHA512

6d5ebcb5c38b2d56627daaf9b7f262bb95d1dc6871214c207c2daec3f95464f69e50ee70480c97cc4ce1e343a61b3f2c4d49c8b1fefa73ac8b81d20287aa9763
SSDEEP

96:krExshDl8df//RcjGgydEDUjZzDffL5oEr6nriXoUi:kreshDetJcjTqEDUjZzbfL5KriYUi

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1148	4884	cmd.exe	87
PID 4884 wrote to memory of 1148	4884	cmd.exe	87
PID 4884 wrote to memory of 2384	4884	cmd.exe	88
PID 4884 wrote to memory of 2384	4884	cmd.exe	88
PID 4884 wrote to memory of 2212	4884	cmd.exe	89
PID 4884 wrote to memory of 2212	4884	cmd.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\yes.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\mode.com
  mode 75, 30
  2⤵
  PID:1148
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dr4513qw.05i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2212-9-0x0000018130F30000-0x0000018130F52000-memory.dmp

Filesize
136KB

Download
memory/2212-10-0x00007FFBD9610000-0x00007FFBDA0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-12-0x0000018130CB0000-0x0000018130CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-11-0x0000018130CB0000-0x0000018130CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-13-0x0000018130CB0000-0x0000018130CC0000-memory.dmp

Filesize
64KB

Download
memory/2212-16-0x00007FFBD9610000-0x00007FFBDA0D1000-memory.dmp

Filesize
10.8MB

Download