cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat
Size

1KB
MD5

ce590ddfde09398f69caf8ef13163bf1
SHA1

06b22d31e6cde7f1f82e09f97395e8679b146699
SHA256

cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb
SHA512

b6c97ade1d1e4ca98285e46c719cbfbd58c901f1ef72663024af30ff2284e9f023feb3574d86f3a1a4242c5f30743a1936525d84267ca1b5af77407bebb3d481

Score

5^/10

discovery

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3896	tasklist.exe
3948	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	tasklist.exe
Token: SeDebugPrivilege	3948	tasklist.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 864	2836	cmd.exe	84
PID 2836 wrote to memory of 864	2836	cmd.exe	84
PID 864 wrote to memory of 3896	864	cmd.exe	86
PID 864 wrote to memory of 3896	864	cmd.exe	86
PID 864 wrote to memory of 1964	864	cmd.exe	87
PID 864 wrote to memory of 1964	864	cmd.exe	87
PID 864 wrote to memory of 3948	864	cmd.exe	89
PID 864 wrote to memory of 3948	864	cmd.exe	89
PID 864 wrote to memory of 1604	864	cmd.exe	90
PID 864 wrote to memory of 1604	864	cmd.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\cc4a9f0cda1f216a0cdecd5256fa454f92acd179d11d3d35bec2ce643b3ebacb.bat" MY_FLAG
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\system32\find.exe
    find /i "AvastUI.exe"
    3⤵
    PID:1964
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq avgui.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\system32\find.exe
    find /i "avgui.exe"
    3⤵
    PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads