13e670c886fb6c001da708b00402e515ffb9465f06ae5b58a2b6fd9ae53aeef0 | Triage

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
01-01-2025 02:38

Sharing

Report Analysis Logs

General

Target

run me as admin.bat
Size

111B
MD5

32ebd1b51e027f5eb86c7cd3bf98f661
SHA1

9f94f463b0c60e73cb6d9a221feb86da05bf5582
SHA256

49941008e16ca6b79cc4949da034da2696d7f78d6664b74afcd11902eb76c3c9
SHA512

4540c9d9ea0e58e889d29d50cb22bb4e0d5c401475127c529d9abacf9ea0c3a9aa8b22ca1b13fd6da98f0452b8e7d22111b59bc520b57601e3d6e606c0d48b35

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	5024	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 5024	2308	cmd.exe	78
PID 2308 wrote to memory of 5024	2308	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run me as admin.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\GF.DATA,Win10
  2⤵
  - Blocklisted process makes network request
  PID:5024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads