cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat
Size

1KB
MD5

ce590ddfde09398f69caf8ef13163bf1
SHA1

06b22d31e6cde7f1f82e09f97395e8679b146699
SHA256

cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb
SHA512

b6c97ade1d1e4ca98285e46c719cbfbd58c901f1ef72663024af30ff2284e9f023feb3574d86f3a1a4242c5f30743a1936525d84267ca1b5af77407bebb3d481

Score

5^/10

discovery

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2940	tasklist.exe
2760	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2328	2640	cmd.exe	31
PID 2640 wrote to memory of 2328	2640	cmd.exe	31
PID 2640 wrote to memory of 2328	2640	cmd.exe	31
PID 2328 wrote to memory of 2760	2328	cmd.exe	33
PID 2328 wrote to memory of 2760	2328	cmd.exe	33
PID 2328 wrote to memory of 2760	2328	cmd.exe	33
PID 2328 wrote to memory of 2764	2328	cmd.exe	34
PID 2328 wrote to memory of 2764	2328	cmd.exe	34
PID 2328 wrote to memory of 2764	2328	cmd.exe	34
PID 2328 wrote to memory of 2940	2328	cmd.exe	36
PID 2328 wrote to memory of 2940	2328	cmd.exe	36
PID 2328 wrote to memory of 2940	2328	cmd.exe	36
PID 2328 wrote to memory of 2708	2328	cmd.exe	37
PID 2328 wrote to memory of 2708	2328	cmd.exe	37
PID 2328 wrote to memory of 2708	2328	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat" MY_FLAG
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\find.exe
    find /i "AvastUI.exe"
    3⤵
    PID:2764
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq avgui.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\system32\find.exe
    find /i "avgui.exe"
    3⤵
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads