dff2e5bf24011b871956f8cf42804d5e73e4520f24a25963b31bb1dca6aa3312

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nekos Premium Tweaking Pack V2/Disable Power Saving (improved performance)/Disable Scheduled Tasks.bat
Size

923B
MD5

0421b921c3ca474b642b03458dddf8f9
SHA1

d8ff1aa80e9578bbee9f9a93d99106e5499bfaf9
SHA256

8baa64b59052ed613d1923c75927586d3bb49c472b9badf03a99edf2b7a9f002
SHA512

8823b3b312d33ae8072ee75618e74c7dd233158fc6f7debd0347613c4a0486d2a81fa16407d5b01e6f1929f2ec2aa329b39f97b47471e4547b19e9ddd3b3cd04

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2888	2376	cmd.exe	83
PID 2376 wrote to memory of 2888	2376	cmd.exe	83
PID 2376 wrote to memory of 1612	2376	cmd.exe	84
PID 2376 wrote to memory of 1612	2376	cmd.exe	84
PID 2376 wrote to memory of 2884	2376	cmd.exe	86
PID 2376 wrote to memory of 2884	2376	cmd.exe	86
PID 2376 wrote to memory of 1564	2376	cmd.exe	87
PID 2376 wrote to memory of 1564	2376	cmd.exe	87
PID 2376 wrote to memory of 3060	2376	cmd.exe	88
PID 2376 wrote to memory of 3060	2376	cmd.exe	88
PID 2376 wrote to memory of 4804	2376	cmd.exe	89
PID 2376 wrote to memory of 4804	2376	cmd.exe	89
PID 2376 wrote to memory of 3468	2376	cmd.exe	90
PID 2376 wrote to memory of 3468	2376	cmd.exe	90
PID 2376 wrote to memory of 784	2376	cmd.exe	91
PID 2376 wrote to memory of 784	2376	cmd.exe	91
PID 2376 wrote to memory of 1992	2376	cmd.exe	93
PID 2376 wrote to memory of 1992	2376	cmd.exe	93
PID 2376 wrote to memory of 2728	2376	cmd.exe	94
PID 2376 wrote to memory of 2728	2376	cmd.exe	94
PID 2376 wrote to memory of 3352	2376	cmd.exe	95
PID 2376 wrote to memory of 3352	2376	cmd.exe	95
PID 2376 wrote to memory of 2900	2376	cmd.exe	96
PID 2376 wrote to memory of 2900	2376	cmd.exe	96
PID 2376 wrote to memory of 3316	2376	cmd.exe	97
PID 2376 wrote to memory of 3316	2376	cmd.exe	97
PID 2376 wrote to memory of 1940	2376	cmd.exe	98
PID 2376 wrote to memory of 1940	2376	cmd.exe	98
PID 2376 wrote to memory of 2068	2376	cmd.exe	99
PID 2376 wrote to memory of 2068	2376	cmd.exe	99
PID 2376 wrote to memory of 1888	2376	cmd.exe	100
PID 2376 wrote to memory of 1888	2376	cmd.exe	100
PID 2376 wrote to memory of 4412	2376	cmd.exe	101
PID 2376 wrote to memory of 4412	2376	cmd.exe	101
PID 2376 wrote to memory of 3564	2376	cmd.exe	102
PID 2376 wrote to memory of 3564	2376	cmd.exe	102
PID 2376 wrote to memory of 1120	2376	cmd.exe	103
PID 2376 wrote to memory of 1120	2376	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nekos Premium Tweaking Pack V2\Disable Power Saving (improved performance)\Disable Scheduled Tasks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
  2⤵
  PID:2888
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
  2⤵
  PID:1612
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
  2⤵
  PID:2884
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
  2⤵
  PID:1564
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
  2⤵
  PID:3060
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
  2⤵
  PID:4804
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
  2⤵
  PID:3468
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
  2⤵
  PID:784
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
  2⤵
  PID:1992
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
  2⤵
  PID:2728
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
  2⤵
  PID:3352
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /disable
  2⤵
  PID:2900
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable
  2⤵
  PID:3316
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Servicing\StartComponentCleanup" /disable
  2⤵
  PID:1940
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Recovery Environment\VerifyWinRE" /disable
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\EDP\StorageCardEncryption Task" /disable
  2⤵
  PID:1888
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives" /disable
  2⤵
  PID:4412
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\BitLocker\BitLocker MDM policy Refresh" /disable
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\ApplicationData\DsSvcCleanup" /disable
  2⤵
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads