Analysis
-
max time kernel
130s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
fix.bat
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
fix.bat
-
Size
526B
-
MD5
09c8df73c596e42192d21911d35c9ec4
-
SHA1
c6caa0111023bf4aca8ff072c9f8c86b100922bf
-
SHA256
1b409fcfd4480085fc4ae1125c358a2637084eb4133ac97353ab982c85029254
-
SHA512
f64cf91fb03e805784790096e00b3e844446e504b2bbdf40fff70461b025bfe62cfc73a00466b0fc7fb73018f2237a5450345a65af026078456238f2a71c991e
Malware Config
Signatures
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2748 sc.exe 3580 sc.exe 4408 sc.exe 2556 sc.exe 3900 sc.exe 1860 sc.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1336 wrote to memory of 2556 1336 cmd.exe 84 PID 1336 wrote to memory of 2556 1336 cmd.exe 84 PID 1336 wrote to memory of 3900 1336 cmd.exe 85 PID 1336 wrote to memory of 3900 1336 cmd.exe 85 PID 1336 wrote to memory of 1860 1336 cmd.exe 87 PID 1336 wrote to memory of 1860 1336 cmd.exe 87 PID 1336 wrote to memory of 2748 1336 cmd.exe 88 PID 1336 wrote to memory of 2748 1336 cmd.exe 88 PID 1336 wrote to memory of 3580 1336 cmd.exe 89 PID 1336 wrote to memory of 3580 1336 cmd.exe 89 PID 1336 wrote to memory of 4408 1336 cmd.exe 90 PID 1336 wrote to memory of 4408 1336 cmd.exe 90 PID 1336 wrote to memory of 1988 1336 cmd.exe 91 PID 1336 wrote to memory of 1988 1336 cmd.exe 91 PID 1336 wrote to memory of 5116 1336 cmd.exe 92 PID 1336 wrote to memory of 5116 1336 cmd.exe 92 PID 5116 wrote to memory of 5060 5116 net.exe 93 PID 5116 wrote to memory of 5060 5116 net.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fix.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:2556
-
-
C:\Windows\system32\sc.exesc config wuauserv start=disabled2⤵
- Launches sc.exe
PID:3900
-
-
C:\Windows\system32\sc.exesc stop WSearch2⤵
- Launches sc.exe
PID:1860
-
-
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵
- Launches sc.exe
PID:2748
-
-
C:\Windows\system32\sc.exesc stop SysMain2⤵
- Launches sc.exe
PID:3580
-
-
C:\Windows\system32\sc.exesc config SysMain start=disabled2⤵
- Launches sc.exe
PID:4408
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:1988
-
-
C:\Windows\system32\net.exenet stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend3⤵PID:5060
-
-