7ce2104ee4282e0538a6b3ee829da46cdc80ad1964972dadfb98924e95a134b3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 12:34

Target

IIS Compress - Off.cmd
Size

897B
MD5

8b6f3daa7d23b5874ef5bb5c90181719
SHA1

e108ba8cd6811910414518008ea70a28757847b4
SHA256

7ce2104ee4282e0538a6b3ee829da46cdc80ad1964972dadfb98924e95a134b3
SHA512

573a1fb608f39e91569f8ad069b4be5c71df2da57125e0fef5712b5c0a6f6f8886d5e38ab9a133030172c9081203af8961df64d77842493c332e85ce7db0b33a

Score

1^/10

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3024	2944	cmd.exe	29
PID 2944 wrote to memory of 3024	2944	cmd.exe	29
PID 2944 wrote to memory of 3024	2944	cmd.exe	29
PID 2944 wrote to memory of 2584	2944	cmd.exe	30
PID 2944 wrote to memory of 2584	2944	cmd.exe	30
PID 2944 wrote to memory of 2584	2944	cmd.exe	30
PID 2944 wrote to memory of 2824	2944	cmd.exe	31
PID 2944 wrote to memory of 2824	2944	cmd.exe	31
PID 2944 wrote to memory of 2824	2944	cmd.exe	31
PID 2944 wrote to memory of 2684	2944	cmd.exe	32
PID 2944 wrote to memory of 2684	2944	cmd.exe	32
PID 2944 wrote to memory of 2684	2944	cmd.exe	32
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2944 wrote to memory of 2452	2944	cmd.exe	33
PID 2944 wrote to memory of 3056	2944	cmd.exe	34
PID 2944 wrote to memory of 3056	2944	cmd.exe	34
PID 2944 wrote to memory of 3056	2944	cmd.exe	34
PID 2944 wrote to memory of 2648	2944	cmd.exe	35
PID 2944 wrote to memory of 2648	2944	cmd.exe	35
PID 2944 wrote to memory of 2648	2944	cmd.exe	35
PID 2944 wrote to memory of 2700	2944	cmd.exe	36
PID 2944 wrote to memory of 2700	2944	cmd.exe	36
PID 2944 wrote to memory of 2700	2944	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IIS Compress - Off.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/parameters/HcDoDynamicCompression false
  2⤵
  PID:3024
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/parameters/HcDoStaticCompression false
  2⤵
  PID:2584
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcdynamiccompressionlevel "0"
  2⤵
  PID:2824
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcdynamiccompressionlevel "0"
  2⤵
  PID:2684
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcscriptfileextensions "cfm"
  2⤵
  PID:2452
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcscriptfileextensions "cfm"
  2⤵
  PID:3056
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcfileextensions "vbs"
  2⤵
  PID:2648
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcfileextensions "vbs"
  2⤵
  PID:2700