ae5c64a88ceb35a4cd3748ed27392845405934108bcefff1c965599ba1294f30

Resubmissions

05-12-2024 19:46

241205-yhfc9svrbl 10

05-12-2024 19:03

241205-xqftbstmhr 10

Analysis

max time kernel
36s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adil Windows.bat
Size

12KB
MD5

cb107d44ed312ae167260b86b9d1901d
SHA1

47406774f65842ff020290fe34c0175789e2f5d0
SHA256

ae5c64a88ceb35a4cd3748ed27392845405934108bcefff1c965599ba1294f30
SHA512

981f373ec1ff38b4bba875ef8bb5caa5875082c8c6e8f36f8a4593599500195536b522853d686499f6b3908b7845e283b695f9ac370201ffdf319a5ec1a563fd
SSDEEP

192:A9AcZ8zMED95ExPaxmmpeO7D8HqYT1+gvwoKNfcP7b8T0j:UA684zwreO7D89T1rKNfBu

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 32 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
316	sc.exe
2924	sc.exe
2832	sc.exe
2756	sc.exe
1932	sc.exe
2728	sc.exe
2876	sc.exe
2720	sc.exe
2696	sc.exe
2588	sc.exe
2636	sc.exe
2956	sc.exe
2736	sc.exe
3040	sc.exe
2156	sc.exe
2500	sc.exe
2008	sc.exe
2800	sc.exe
1864	sc.exe
3048	sc.exe
816	sc.exe
1688	sc.exe
2540	sc.exe
2812	sc.exe
2568	sc.exe
2608	sc.exe
1420	sc.exe
2592	sc.exe
2848	sc.exe
1892	sc.exe
2952	sc.exe
1656	sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2776	2668	cmd.exe	31
PID 2668 wrote to memory of 2776	2668	cmd.exe	31
PID 2668 wrote to memory of 2776	2668	cmd.exe	31
PID 2776 wrote to memory of 2808	2776	net.exe	32
PID 2776 wrote to memory of 2808	2776	net.exe	32
PID 2776 wrote to memory of 2808	2776	net.exe	32
PID 2668 wrote to memory of 2924	2668	cmd.exe	33
PID 2668 wrote to memory of 2924	2668	cmd.exe	33
PID 2668 wrote to memory of 2924	2668	cmd.exe	33
PID 2668 wrote to memory of 2720	2668	cmd.exe	34
PID 2668 wrote to memory of 2720	2668	cmd.exe	34
PID 2668 wrote to memory of 2720	2668	cmd.exe	34
PID 2668 wrote to memory of 2800	2668	cmd.exe	35
PID 2668 wrote to memory of 2800	2668	cmd.exe	35
PID 2668 wrote to memory of 2800	2668	cmd.exe	35
PID 2668 wrote to memory of 2592	2668	cmd.exe	36
PID 2668 wrote to memory of 2592	2668	cmd.exe	36
PID 2668 wrote to memory of 2592	2668	cmd.exe	36
PID 2668 wrote to memory of 2848	2668	cmd.exe	37
PID 2668 wrote to memory of 2848	2668	cmd.exe	37
PID 2668 wrote to memory of 2848	2668	cmd.exe	37
PID 2668 wrote to memory of 2832	2668	cmd.exe	38
PID 2668 wrote to memory of 2832	2668	cmd.exe	38
PID 2668 wrote to memory of 2832	2668	cmd.exe	38
PID 2668 wrote to memory of 2812	2668	cmd.exe	39
PID 2668 wrote to memory of 2812	2668	cmd.exe	39
PID 2668 wrote to memory of 2812	2668	cmd.exe	39
PID 2668 wrote to memory of 2696	2668	cmd.exe	40
PID 2668 wrote to memory of 2696	2668	cmd.exe	40
PID 2668 wrote to memory of 2696	2668	cmd.exe	40
PID 2668 wrote to memory of 2756	2668	cmd.exe	41
PID 2668 wrote to memory of 2756	2668	cmd.exe	41
PID 2668 wrote to memory of 2756	2668	cmd.exe	41
PID 2668 wrote to memory of 1864	2668	cmd.exe	42
PID 2668 wrote to memory of 1864	2668	cmd.exe	42
PID 2668 wrote to memory of 1864	2668	cmd.exe	42
PID 2668 wrote to memory of 2568	2668	cmd.exe	43
PID 2668 wrote to memory of 2568	2668	cmd.exe	43
PID 2668 wrote to memory of 2568	2668	cmd.exe	43
PID 2668 wrote to memory of 2588	2668	cmd.exe	44
PID 2668 wrote to memory of 2588	2668	cmd.exe	44
PID 2668 wrote to memory of 2588	2668	cmd.exe	44
PID 2668 wrote to memory of 2608	2668	cmd.exe	45
PID 2668 wrote to memory of 2608	2668	cmd.exe	45
PID 2668 wrote to memory of 2608	2668	cmd.exe	45
PID 2668 wrote to memory of 2636	2668	cmd.exe	46
PID 2668 wrote to memory of 2636	2668	cmd.exe	46
PID 2668 wrote to memory of 2636	2668	cmd.exe	46
PID 2668 wrote to memory of 1932	2668	cmd.exe	47
PID 2668 wrote to memory of 1932	2668	cmd.exe	47
PID 2668 wrote to memory of 1932	2668	cmd.exe	47
PID 2668 wrote to memory of 3040	2668	cmd.exe	48
PID 2668 wrote to memory of 3040	2668	cmd.exe	48
PID 2668 wrote to memory of 3040	2668	cmd.exe	48
PID 2668 wrote to memory of 2156	2668	cmd.exe	49
PID 2668 wrote to memory of 2156	2668	cmd.exe	49
PID 2668 wrote to memory of 2156	2668	cmd.exe	49
PID 2668 wrote to memory of 2728	2668	cmd.exe	50
PID 2668 wrote to memory of 2728	2668	cmd.exe	50
PID 2668 wrote to memory of 2728	2668	cmd.exe	50
PID 2668 wrote to memory of 3048	2668	cmd.exe	51
PID 2668 wrote to memory of 3048	2668	cmd.exe	51
PID 2668 wrote to memory of 3048	2668	cmd.exe	51
PID 2668 wrote to memory of 2876	2668	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Adil Windows.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2808
- C:\Windows\system32\sc.exe
  sc stop TapiSrv
  2⤵
  - Launches sc.exe
  PID:2924
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\system32\sc.exe
  sc stop TlntSvr
  2⤵
  - Launches sc.exe
  PID:2800
- C:\Windows\system32\sc.exe
  sc config TlntSvr start= disabled
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\system32\sc.exe
  sc stop ftpsvc
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\system32\sc.exe
  sc config ftpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2832
- C:\Windows\system32\sc.exe
  sc stop SNMP
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\system32\sc.exe
  sc config SNMP start= disabled
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\sc.exe
  sc stop SessionEnv
  2⤵
  - Launches sc.exe
  PID:2756
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  - Launches sc.exe
  PID:1864
- C:\Windows\system32\sc.exe
  sc stop TermService
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  - Launches sc.exe
  PID:2588
- C:\Windows\system32\sc.exe
  sc stop UmRdpService
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\system32\sc.exe
  sc config UmRdpService start= disabled
  2⤵
  - Launches sc.exe
  PID:2636
- C:\Windows\system32\sc.exe
  sc stop SharedAccess
  2⤵
  - Launches sc.exe
  PID:1932
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:3040
- C:\Windows\system32\sc.exe
  sc stop remoteRegistry
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\system32\sc.exe
  sc config remoteRegistry start= disabled
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\sc.exe
  sc stop SSDPSRV
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  - Launches sc.exe
  PID:2876
- C:\Windows\system32\sc.exe
  sc stop W3SVC
  2⤵
  - Launches sc.exe
  PID:316
- C:\Windows\system32\sc.exe
  sc config W3SVC start= disabled
  2⤵
  - Launches sc.exe
  PID:1420
- C:\Windows\system32\sc.exe
  sc stop SNMPTRAP
  2⤵
  - Launches sc.exe
  PID:1892
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start= disabled
  2⤵
  - Launches sc.exe
  PID:816
- C:\Windows\system32\sc.exe
  sc stop remoteAccess
  2⤵
  - Launches sc.exe
  PID:1688
- C:\Windows\system32\sc.exe
  sc config remoteAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:2500
- C:\Windows\system32\sc.exe
  sc stop RpcSs
  2⤵
  - Launches sc.exe
  PID:2540
- C:\Windows\system32\sc.exe
  sc config RpcSs start= disabled
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  sc stop HomeGroupProvider
  2⤵
  - Launches sc.exe
  PID:2956
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start= disabled
  2⤵
  - Launches sc.exe
  PID:2736
- C:\Windows\system32\sc.exe
  sc stop HomeGroupListener
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start= disabled
  2⤵
  - Launches sc.exe
  PID:1656