2d3350d5efeed9d0f2d50ea39fdc4824cfc452594aaa621d730249ca65ded1f3

General

Target

Infinitycrash.bat
Size

363B
MD5

b31cb5cb824da4d9b935fa908d002b34
SHA1

0e743230273dd0390dc9f3f0b59f4a64c88bccd0
SHA256

2d3350d5efeed9d0f2d50ea39fdc4824cfc452594aaa621d730249ca65ded1f3
SHA512

16d668b73e49c11e321de2b5d0a9f50d0da59268f909d44df5573f06494a1f9f27c6d2f7c72b07e8bd7cc2e606aa5df8966a5fb438ec0bb647a234272f74a174

Score

4^/10

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	4104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4104	AUDIODG.EXE
Token: SeTcbPrivilege	4464	svchost.exe
Token: SeRestorePrivilege	4464	svchost.exe
Token: SeDebugPrivilege	1644	taskmgr.exe
Token: SeSystemProfilePrivilege	1644	taskmgr.exe
Token: SeCreateGlobalPrivilege	1644	taskmgr.exe
Token: 33	1644	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1644	taskmgr.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Suspicious use of SendNotifyMessage 39 IoCs

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 392	2852	cmd.exe	73
PID 2852 wrote to memory of 392	2852	cmd.exe	73
PID 2852 wrote to memory of 1436	2852	cmd.exe	74
PID 2852 wrote to memory of 1436	2852	cmd.exe	74
PID 2852 wrote to memory of 2920	2852	cmd.exe	75
PID 2852 wrote to memory of 2920	2852	cmd.exe	75
PID 2852 wrote to memory of 208	2852	cmd.exe	76
PID 2852 wrote to memory of 208	2852	cmd.exe	76
PID 4464 wrote to memory of 3368	4464	svchost.exe	79
PID 4464 wrote to memory of 3368	4464	svchost.exe	79

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Infinitycrash.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:autoexec.bat
  2⤵
  - Views/modifies file attributes
  PID:392
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:boot.ini
  2⤵
  - Views/modifies file attributes
  PID:1436
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:ntldr
  2⤵
  - Views/modifies file attributes
  PID:2920
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:windowswin.ini
  2⤵
  - Views/modifies file attributes
  PID:208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system32\dashost.exe
  dashost.exe {ae46e400-f4ea-4b0d-8b7bf0ace4f7882d}
  2⤵
  PID:3368