71492a3bc9fb4d0bc84ae15f7bc1f2fe432222cf12cdf9650906a47ac3beff68

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 14:53

Target

celeryfixv3.bat
Size

869B
MD5

82f3c770640055b468a0a53a285ce361
SHA1

f5a4f847eb983873347e83cbe7cb8cd5d23d20ab
SHA256

71492a3bc9fb4d0bc84ae15f7bc1f2fe432222cf12cdf9650906a47ac3beff68
SHA512

350836d40b150004233f40252d7b519a7afb398592dcd33bed521434fe80a649999733459e62e89015d44df2ab526786e7e49018f1591f74f42ee8e46246d47c

Score

1^/10

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4840	1372	cmd.exe	85
PID 1372 wrote to memory of 4840	1372	cmd.exe	85
PID 1372 wrote to memory of 3436	1372	cmd.exe	86
PID 1372 wrote to memory of 3436	1372	cmd.exe	86
PID 1372 wrote to memory of 4912	1372	cmd.exe	87
PID 1372 wrote to memory of 4912	1372	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\celeryfixv3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4840
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
  2⤵
  - Modifies registry key
  PID:3436
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
  2⤵
  - Modifies registry key
  PID:4912

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact