129858d6b84c33ddb57b913f236d6e3e4e282233b2724cfc35b381788cc1eba2

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 15:05

Target

zapret-winws/service_del.cmd
Size

95B
MD5

b3d359f405ae243691eb88bab81b420d
SHA1

863f1367cc66fbd460baa4cda424ab8217b8df06
SHA256

731955a4e6dec99139bcde6ac6f6815bf8c13c3b9e9a951021a17dd64aa4163e
SHA512

c410fecaaadb78536cc5324cbe7c76dc33a4bea9035ce88d8acf4fc546658e9e97037e820bcad02f1904ad5531c260e93751e4f0653abf3ca7a88720c71b3a69

Score

8^/10

evasion execution

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
380	sc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 536	5096	cmd.exe	85
PID 5096 wrote to memory of 536	5096	cmd.exe	85
PID 536 wrote to memory of 3608	536	net.exe	86
PID 536 wrote to memory of 3608	536	net.exe	86
PID 5096 wrote to memory of 380	5096	cmd.exe	87
PID 5096 wrote to memory of 380	5096	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zapret-winws\service_del.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\net.exe
  net stop winws1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winws1
    3⤵
    PID:3608
- C:\Windows\system32\sc.exe
  sc delete winws1
  2⤵
  - Launches sc.exe
  PID:380