c0f0d33d18d79c58d0956a5057ec26407d50bebb8960514ceb88d7fb7fb2502b

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10/01/2025, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneclickTools/Sound/Sound.bat
Size

1KB
MD5

aa79a42a515c7013ee6d746bc2033af8
SHA1

f703e84f64c5d8061f2aea7f636e57576b5bb2c6
SHA256

9989b6443318155275d5e8011e6395f57a9723444f06c7de78ad1a07a8049c6e
SHA512

4bcf14e930fa090d0efbad5416ea48bcdb162ddef00baf9433186736a238c3e1ff28c1fc8447a4749af2413856dd597257dbed3f7b80340d1ff0a63144c90e43

Score

4^/10

Malware Config

Signatures

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4356	sc.exe
1392	sc.exe
5164	sc.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1680	taskkill.exe
984	taskkill.exe
2084	taskkill.exe
5724	taskkill.exe
4364	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5724	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 5724	2592	cmd.exe	78
PID 2592 wrote to memory of 5724	2592	cmd.exe	78
PID 2592 wrote to memory of 2332	2592	cmd.exe	80
PID 2592 wrote to memory of 2332	2592	cmd.exe	80
PID 2332 wrote to memory of 3196	2332	net.exe	81
PID 2332 wrote to memory of 3196	2332	net.exe	81
PID 2592 wrote to memory of 4356	2592	cmd.exe	82
PID 2592 wrote to memory of 4356	2592	cmd.exe	82
PID 2592 wrote to memory of 4364	2592	cmd.exe	83
PID 2592 wrote to memory of 4364	2592	cmd.exe	83
PID 2592 wrote to memory of 1680	2592	cmd.exe	84
PID 2592 wrote to memory of 1680	2592	cmd.exe	84
PID 2592 wrote to memory of 5592	2592	cmd.exe	85
PID 2592 wrote to memory of 5592	2592	cmd.exe	85
PID 5592 wrote to memory of 5976	5592	net.exe	86
PID 5592 wrote to memory of 5976	5592	net.exe	86
PID 2592 wrote to memory of 1392	2592	cmd.exe	87
PID 2592 wrote to memory of 1392	2592	cmd.exe	87
PID 2592 wrote to memory of 984	2592	cmd.exe	88
PID 2592 wrote to memory of 984	2592	cmd.exe	88
PID 2592 wrote to memory of 2084	2592	cmd.exe	89
PID 2592 wrote to memory of 2084	2592	cmd.exe	89
PID 2592 wrote to memory of 1912	2592	cmd.exe	90
PID 2592 wrote to memory of 1912	2592	cmd.exe	90
PID 1912 wrote to memory of 1044	1912	net.exe	91
PID 1912 wrote to memory of 1044	1912	net.exe	91
PID 2592 wrote to memory of 5164	2592	cmd.exe	92
PID 2592 wrote to memory of 5164	2592	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OneclickTools\Sound\Sound.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM RtkAudUService64.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5724
- C:\Windows\system32\net.exe
  net stop "RtkAudioUniversalService"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "RtkAudioUniversalService"
    3⤵
    PID:3196
- C:\Windows\system32\sc.exe
  sc config RtkAudioUniversalService start=disabled
  2⤵
  - Launches sc.exe
  PID:4356
- C:\Windows\system32\taskkill.exe
  taskkill /f /im SECOMNService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\system32\taskkill.exe
  taskkill /f /im SECOCL.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\system32\net.exe
  net stop "SECOMNService"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SECOMNService"
    3⤵
    PID:5976
- C:\Windows\system32\sc.exe
  sc config SECOMNService start=disabled
  2⤵
  - Launches sc.exe
  PID:1392
- C:\Windows\system32\taskkill.exe
  taskkill /f /im VSHelper.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\system32\taskkill.exe
  taskkill /f /im VSSrv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\system32\net.exe
  net stop "VSSrv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSSrv"
    3⤵
    PID:1044
- C:\Windows\system32\sc.exe
  sc config VSSrv start=disabled
  2⤵
  - Launches sc.exe
  PID:5164

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads