91ac6efae3d1175354489d6bd9a05451fabcce8c7d6a3cd920ab41db722ea3de

Analysis

max time kernel
15s
max time network
32s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 20:54

Reason

Machine shutdown

Target

Steam+.bat
Size

269B
MD5

e74528538fca5cb2597f9d2e7b7b98f9
SHA1

cb60de7e1a532bff2ae9547ad098211736b20b16
SHA256

91ac6efae3d1175354489d6bd9a05451fabcce8c7d6a3cd920ab41db722ea3de
SHA512

74feab064ea5662ad680016b5603062aa64a664119576b620c3fc44930904a89dc6840717c39bc98c558b0cd952fd722ea43d24e960c526b7959d18c63c7a507

Score

5^/10

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\AdvancedInstallers\cmiadapter.dll	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\cmiv2.dll	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\CntrtextInstaller.DLL	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\OEMHelpIns.dll	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\msimsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bg-BG\comdlg32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\comdlg32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\mlang.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\msprivs.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bg-BG\msimsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\cmitrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\cdosys.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bg-BG\comctl32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bg-BG\fms.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bg-BG\mlang.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\AdvancedInstallers\locdrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\comctl32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ar-SA\fms.dll.mui	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2808	shutdown.exe
Token: SeRemoteShutdownPrivilege	2808	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2620	2604	cmd.exe	31
PID 2604 wrote to memory of 2620	2604	cmd.exe	31
PID 2604 wrote to memory of 2620	2604	cmd.exe	31
PID 2604 wrote to memory of 2808	2604	cmd.exe	32
PID 2604 wrote to memory of 2808	2604	cmd.exe	32
PID 2604 wrote to memory of 2808	2604	cmd.exe	32
PID 2604 wrote to memory of 2812	2604	cmd.exe	34
PID 2604 wrote to memory of 2812	2604	cmd.exe	34
PID 2604 wrote to memory of 2812	2604	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Steam+.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\msg.exe
  msg * "I HAVE YOUR DATA, YOUR COMPUTER WILL TURN OFF IN 30 SECONDS, ENJOY IT WHILE YOU CAN."
  2⤵
  PID:2620
- C:\Windows\system32\shutdown.exe
  shutdown -r -t 30
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2812

memory/2512-1-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2768-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download