a2e8843e56a343eb851c92463c123b06c2edc8a7c4704ec51e4ba42405cdb9b4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 10:06

Target

SALIKHACK/SALIKHACK.bat
Size

238B
MD5

21a67af3a0e70534daf91c971545bc80
SHA1

23141575d04651a2cd778a33732805c468033ef0
SHA256

940dd6c2693be78a671cad250f75a5b5324b3350e2b2fc1cfc098293b934fdb3
SHA512

b79f1dd26beee4a6995b0d67f112e4dff152d05822e8482579b6bdbd414b06cfbdeb6f55f4cb41d1821e6e7b98bfa3852e1d163355b3de5cd985373f8a333e66

Score

1^/10

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1276	2420	cmd.exe	29
PID 2420 wrote to memory of 1276	2420	cmd.exe	29
PID 2420 wrote to memory of 1276	2420	cmd.exe	29
PID 2420 wrote to memory of 2596	2420	cmd.exe	30
PID 2420 wrote to memory of 2596	2420	cmd.exe	30
PID 2420 wrote to memory of 2596	2420	cmd.exe	30
PID 2420 wrote to memory of 2060	2420	cmd.exe	31
PID 2420 wrote to memory of 2060	2420	cmd.exe	31
PID 2420 wrote to memory of 2060	2420	cmd.exe	31
PID 2060 wrote to memory of 2600	2060	net.exe	32
PID 2060 wrote to memory of 2600	2060	net.exe	32
PID 2060 wrote to memory of 2600	2060	net.exe	32
PID 2420 wrote to memory of 2388	2420	cmd.exe	33
PID 2420 wrote to memory of 2388	2420	cmd.exe	33
PID 2420 wrote to memory of 2388	2420	cmd.exe	33
PID 2388 wrote to memory of 2308	2388	net.exe	34
PID 2388 wrote to memory of 2308	2388	net.exe	34
PID 2388 wrote to memory of 2308	2388	net.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SALIKHACK\SALIKHACK.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f
  2⤵
  PID:1276
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f
  2⤵
  PID:2596
- C:\Windows\system32\net.exe
  net stop uxsms
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop uxsms
    3⤵
    PID:2600
- C:\Windows\system32\net.exe
  net start uxsms
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start uxsms
    3⤵
    PID:2308