e93eff9fcefc1e4cff03a218144e16b5632ca85fbf4f9a3ac726d6b1b0b5b256

Reason

Remote task has failed: Machine shutdown

General

Target

1.bat
Size

5B
MD5

53f31a089339194f333d2e3995dbb05e
SHA1

d929c82d2ee727ccbea9c50c669a71075249899f
SHA256

86b0c5a1e2b73b08fd54c727f4458649ed9fe3ad1b6e8ac9460c070113509a1e
SHA512

d6f0e8c65e1fe60e81be2aee69b09b9a5df7519dff082cc4e51a705fb044a34db7198b40d480df0a048e32a7d2cf0c4090d64af123a5d852c21c8a35de4ff3fc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 38 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 520031000000000022530271122041707044617461003c0008000400efbe22530271225302712a000000d10100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 4c0031000000000022535875100041646d696e00380008000400efbe22530271225358752a0000002e000000000004000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\0 = 4a003100000000002753ce82102054656d700000360008000400efbe225302712753ce822a000000e5010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\0\NodeSlot = "3"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 7400310000000000225302711100557365727300600008000400efbeee3a851a225302712a000000cc01000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 = 4c003100000000002253a57310204c6f63616c00380008000400efbe225302712253a5732a000000e40100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 316 wrote to memory of 336	316	cmd.exe	explorer.exe
PID 316 wrote to memory of 336	316	cmd.exe	explorer.exe
PID 316 wrote to memory of 336	316	cmd.exe	explorer.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
PID:836

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1772

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\explorer.exe
explorer .
2⤵
PID:336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-54-0x0000000000000000-mapping.dmp

Download
memory/824-59-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1552-57-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1640-61-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1772-53-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads