01eb0d24c53c74c905ac1dcc3ec7c58c877ce6d70ce674d3624e989598819a9f

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 06:30

Target

setup.bat
Size

2KB
MD5

9a147586a690fc21a8d20181c264ef74
SHA1

d703e6edab34e8bd85ac711ee94ca40a2d3ba1cf
SHA256

01eb0d24c53c74c905ac1dcc3ec7c58c877ce6d70ce674d3624e989598819a9f
SHA512

fe706a4973bbd78c719d07cb2752b262825eaa7eb60170a13f85353966497ed2b80f0e244f01080565ed9a69f39630b2988a4aad93b0d07feaac4d157490f236

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2536	2540	cmd.exe	31
PID 2540 wrote to memory of 2536	2540	cmd.exe	31
PID 2540 wrote to memory of 2536	2540	cmd.exe	31
PID 2540 wrote to memory of 2016	2540	cmd.exe	32
PID 2540 wrote to memory of 2016	2540	cmd.exe	32
PID 2540 wrote to memory of 2016	2540	cmd.exe	32
PID 2016 wrote to memory of 1640	2016	cmd.exe	33
PID 2016 wrote to memory of 1640	2016	cmd.exe	33
PID 2016 wrote to memory of 1640	2016	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c where python
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\where.exe
    where python
    3⤵
    PID:1640