ad8b8ec9ca1d21da70644ae44cc8d8c0790a260d608f2d175451c89184e8045f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 07:20

Target

ad8b8ec9ca1d21da70644ae44cc8d8c0790a260d608f2d175451c89184e8045f.bat
Size

3KB
MD5

69293d9f99b8f43387e198911865e580
SHA1

e0168044f352e0dffa43de18a3ced26a5726d94d
SHA256

ad8b8ec9ca1d21da70644ae44cc8d8c0790a260d608f2d175451c89184e8045f
SHA512

79e939a193d7572f2c39133b01f50fba510851233b8931814cc3ef68ceb6b859296db5757cf260cac570b311ab83b26848d5fa47cd6ddd6bf0c3a21cd446d447

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2724	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2860	2776	cmd.exe	31
PID 2776 wrote to memory of 2860	2776	cmd.exe	31
PID 2776 wrote to memory of 2860	2776	cmd.exe	31
PID 2776 wrote to memory of 2768	2776	cmd.exe	32
PID 2776 wrote to memory of 2768	2776	cmd.exe	32
PID 2776 wrote to memory of 2768	2776	cmd.exe	32
PID 2768 wrote to memory of 2724	2768	cmd.exe	33
PID 2768 wrote to memory of 2724	2768	cmd.exe	33
PID 2768 wrote to memory of 2724	2768	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ad8b8ec9ca1d21da70644ae44cc8d8c0790a260d608f2d175451c89184e8045f.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo %oD26DrgEWQgG% "
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell.exe -exec bypass -nop -win 1 -
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -exec bypass -nop -win 1 -
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

memory/2724-4-0x000007FEF460E000-0x000007FEF460F000-memory.dmp

Filesize
4KB

Download
memory/2724-5-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2724-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2724-7-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2724-8-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2724-9-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download
memory/2724-10-0x000007FEF460E000-0x000007FEF460F000-memory.dmp

Filesize
4KB

Download
memory/2724-11-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

Filesize
9.6MB

Download