bd738f6f1b9bf79ca2725a1126f7b00127ec306b7f0c8ae25ae3f3724c7dbd46

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 13:25

Target

zapret-winws/task_remove.cmd
Size

124B
MD5

23c2e95aac5e3bc4390327a97af1afc4
SHA1

e37dfa4a0c7ae50db2f787f38fa45384d388a028
SHA256

26ccde6d01eb826f4cc5371925ecf771698f015ac9e905c4659acaff6fde6928
SHA512

93e56f786421724c229bde84b3b46a059d06a99d934ea4250167c0d7cc2a0c9d0e0422cd7fd39131eb17a2229bd3becea88379756d4752a4931e5c671779753e

Score

1^/10

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1604	2272	cmd.exe	32
PID 2272 wrote to memory of 1604	2272	cmd.exe	32
PID 2272 wrote to memory of 1604	2272	cmd.exe	32
PID 2272 wrote to memory of 1764	2272	cmd.exe	33
PID 2272 wrote to memory of 1764	2272	cmd.exe	33
PID 2272 wrote to memory of 1764	2272	cmd.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zapret-winws\task_remove.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\schtasks.exe
  schtasks /End /TN winws1
  2⤵
  PID:1604
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN winws1 /F
  2⤵
  PID:1764

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact