Analysis
-
max time kernel
140s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 10:06
Behavioral task
behavioral1
Sample
SALIKHACK/SALIKHACK.bat
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
SALIKHACK/SALIKHACK.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
SALIKHACK/SALIKHACK.exe
Resource
win7-20231129-en
windows7-x64
14 signatures
150 seconds
General
-
Target
SALIKHACK/SALIKHACK.bat
-
Size
238B
-
MD5
21a67af3a0e70534daf91c971545bc80
-
SHA1
23141575d04651a2cd778a33732805c468033ef0
-
SHA256
940dd6c2693be78a671cad250f75a5b5324b3350e2b2fc1cfc098293b934fdb3
-
SHA512
b79f1dd26beee4a6995b0d67f112e4dff152d05822e8482579b6bdbd414b06cfbdeb6f55f4cb41d1821e6e7b98bfa3852e1d163355b3de5cd985373f8a333e66
Score
1/10
Malware Config
Signatures
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4984 wrote to memory of 4568 4984 cmd.exe 84 PID 4984 wrote to memory of 4568 4984 cmd.exe 84 PID 4984 wrote to memory of 4428 4984 cmd.exe 85 PID 4984 wrote to memory of 4428 4984 cmd.exe 85 PID 4984 wrote to memory of 2644 4984 cmd.exe 86 PID 4984 wrote to memory of 2644 4984 cmd.exe 86 PID 2644 wrote to memory of 2520 2644 net.exe 87 PID 2644 wrote to memory of 2520 2644 net.exe 87 PID 4984 wrote to memory of 1952 4984 cmd.exe 88 PID 4984 wrote to memory of 1952 4984 cmd.exe 88 PID 1952 wrote to memory of 2496 1952 net.exe 89 PID 1952 wrote to memory of 2496 1952 net.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SALIKHACK\SALIKHACK.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f2⤵PID:4568
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f2⤵PID:4428
-
-
C:\Windows\system32\net.exenet stop uxsms2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop uxsms3⤵PID:2520
-
-
-
C:\Windows\system32\net.exenet start uxsms2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start uxsms3⤵PID:2496
-
-