d6b89a4217578b742d1efd9c717ede6a302492842ed7afbe7d4fc45f16e790a5

Resubmissions

05-12-2024 18:59

05-12-2024 18:46

max time kernel
50s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 18:59

Target

Adil Windows test.bat
Size

12KB
MD5

de58ceaf3e15b74f37ded57ca6a4b3db
SHA1

e1d566f0c71cd042c541a82cc0c2d5b734439429
SHA256

d6b89a4217578b742d1efd9c717ede6a302492842ed7afbe7d4fc45f16e790a5
SHA512

71c64af60a0180fb44dc53ef7bcf74ee3e29d30b6b0d4246bb8b9658be4bfe0fed2f153784dbf2ad93aaa459ca6b17e5c2324bbebb3b6e91ce2257ace5a0da64
SSDEEP

192:A9AcZIbMED95MxPaxmmpeO7D8HqYT1+gvwoKNfcP7b8T0j:UA6IQbwreO7D89T1rKNfBu

Score

5^/10

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\gpedit.msc	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	mmc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4108	mmc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4108	mmc.exe
Token: SeIncBasePriorityPrivilege	4108	mmc.exe
Token: 33	4108	mmc.exe
Token: SeIncBasePriorityPrivilege	4108	mmc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3728	732	cmd.exe	84
PID 732 wrote to memory of 3728	732	cmd.exe	84
PID 3728 wrote to memory of 4172	3728	net.exe	85
PID 3728 wrote to memory of 4172	3728	net.exe	85
PID 4352 wrote to memory of 2312	4352	cmd.exe	98
PID 4352 wrote to memory of 2312	4352	cmd.exe	98
PID 4352 wrote to memory of 3728	4352	cmd.exe	110
PID 4352 wrote to memory of 3728	4352	cmd.exe	110
PID 3728 wrote to memory of 3132	3728	net.exe	111
PID 3728 wrote to memory of 3132	3728	net.exe	111
PID 4352 wrote to memory of 3688	4352	cmd.exe	112
PID 4352 wrote to memory of 3688	4352	cmd.exe	112
PID 3688 wrote to memory of 2576	3688	net.exe	113
PID 3688 wrote to memory of 2576	3688	net.exe	113
PID 4352 wrote to memory of 4816	4352	cmd.exe	116
PID 4352 wrote to memory of 4816	4352	cmd.exe	116
PID 4816 wrote to memory of 4768	4816	net.exe	117
PID 4816 wrote to memory of 4768	4816	net.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Adil Windows test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4172

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\system32\net.exe
  net use everyone
  2⤵
  PID:2312
- C:\Windows\system32\net.exe
  net user everyone
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user everyone
    3⤵
    PID:3132
- C:\Windows\system32\net.exe
  net user list
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user list
    3⤵
    PID:2576
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:4768