a22f393576c3c8fa3ade88102fa98dfc93097d15b4c453ef676f6daaefffa592

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoSettings/Check.bat
Size

111KB
MD5

8de1beb7c5e0ff6e71b001dbe92385d2
SHA1

a100fe979553a0993d916c76ba5e0e87717af3c1
SHA256

798e841f8cc6a5fd3f27670bc31d3f89c62e5e3a2d0515c9719cf503a24b8862
SHA512

8fbb45e81f037218a9a3bbe6fe97021fdae232d9e845b77800c17664de5d9e4b8ee5f922c46919c358c77e10e0958ed8b7ff307cc1c5de20a4fa52d65923b3e0
SSDEEP

1536:hDE9SdURwRfzXYJEOauvUHyxC69amzkHV:hDE9SdmwRfzXDOauvUHyxCuazHV

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3244-76-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3244-77-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4912-78-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4912-79-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4844-80-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4844-81-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2508-85-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1968-87-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/216-86-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2932-84-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4416-83-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/756-82-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 4392	1232	cmd.exe	90
PID 1232 wrote to memory of 4392	1232	cmd.exe	90
PID 1232 wrote to memory of 4440	1232	cmd.exe	89
PID 1232 wrote to memory of 4440	1232	cmd.exe	89
PID 1232 wrote to memory of 1380	1232	cmd.exe	94
PID 1232 wrote to memory of 1380	1232	cmd.exe	94
PID 1380 wrote to memory of 3192	1380	cmd.exe	95
PID 1380 wrote to memory of 3192	1380	cmd.exe	95
PID 1232 wrote to memory of 4356	1232	cmd.exe	96
PID 1232 wrote to memory of 4356	1232	cmd.exe	96
PID 1232 wrote to memory of 4652	1232	cmd.exe	97
PID 1232 wrote to memory of 4652	1232	cmd.exe	97
PID 4652 wrote to memory of 1332	4652	cmd.exe	98
PID 4652 wrote to memory of 1332	4652	cmd.exe	98
PID 1232 wrote to memory of 2472	1232	cmd.exe	99
PID 1232 wrote to memory of 2472	1232	cmd.exe	99
PID 2472 wrote to memory of 4188	2472	cmd.exe	100
PID 2472 wrote to memory of 4188	2472	cmd.exe	100
PID 1232 wrote to memory of 3244	1232	cmd.exe	102
PID 1232 wrote to memory of 3244	1232	cmd.exe	102
PID 1232 wrote to memory of 3244	1232	cmd.exe	102
PID 1232 wrote to memory of 4912	1232	cmd.exe	103
PID 1232 wrote to memory of 4912	1232	cmd.exe	103
PID 1232 wrote to memory of 4912	1232	cmd.exe	103
PID 1232 wrote to memory of 4844	1232	cmd.exe	104
PID 1232 wrote to memory of 4844	1232	cmd.exe	104
PID 1232 wrote to memory of 4844	1232	cmd.exe	104
PID 1232 wrote to memory of 756	1232	cmd.exe	110
PID 1232 wrote to memory of 756	1232	cmd.exe	110
PID 1232 wrote to memory of 756	1232	cmd.exe	110
PID 1232 wrote to memory of 4416	1232	cmd.exe	109
PID 1232 wrote to memory of 4416	1232	cmd.exe	109
PID 1232 wrote to memory of 4416	1232	cmd.exe	109
PID 1232 wrote to memory of 2932	1232	cmd.exe	108
PID 1232 wrote to memory of 2932	1232	cmd.exe	108
PID 1232 wrote to memory of 2932	1232	cmd.exe	108
PID 1232 wrote to memory of 2508	1232	cmd.exe	107
PID 1232 wrote to memory of 2508	1232	cmd.exe	107
PID 1232 wrote to memory of 2508	1232	cmd.exe	107
PID 1232 wrote to memory of 216	1232	cmd.exe	106
PID 1232 wrote to memory of 216	1232	cmd.exe	106
PID 1232 wrote to memory of 216	1232	cmd.exe	106
PID 1232 wrote to memory of 1968	1232	cmd.exe	105
PID 1232 wrote to memory of 1968	1232	cmd.exe	105
PID 1232 wrote to memory of 1968	1232	cmd.exe	105

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Check.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:4440
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "UBR"
    3⤵
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get MUILanguages /Value 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get MUILanguages /Value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ╔═════════════════════════════════════════════════════════════════════╗ {\n #}
  2⤵
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ║ {07}Проверка {08}редакции {0f}Windows 10 Enterprise {0a}LTSB RS1 10.0.14393 {08}║ {\n #}
  2⤵
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} ╚═════════════════════════════════════════════════════════════════════╝ {\n #}
  2⤵
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {08} | Версия 3.16{\n #}
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [Без ввода]{#} = {0e}Выйти {\n #}
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [3] = {0e}Сделать все{#} (Проверить значения слежения, AppStore и настроек) {\n #}
  2⤵
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [2] = {0e}Settings{#} (Только проверка значений дополнительных настроек Windows) {\n #}
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" {0b} [1] = {0e}Spy{#} (Только проверка значений по слежению, сбору и AppStore) {\n #}
  2⤵
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Files\Tools\cecho.exe" Ваша Windows:{0a} x64 {#}|{0a} en-US, de-DE, es-ES, fr-FR {#}| {0e}10.0.19041.1288 {4f} Версия не поддерживается {#} {00}.{\n #}
  2⤵
  PID:756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoSettings\_Fix.bat

Filesize
4KB

MD5
6f478bb851479b47c68cc595e44e682f

SHA1
889ff300f374c23578ec876388fe89ad554c20c6

SHA256
30518495160eb5418a6bdb1981579728abce0ace48c9dbfd9777784611d00a87

SHA512
d6878cf9c358cd2fe203fabea580f88ce94f12e075ca435ea1f2f1151a6678318d26f81002c29d82f31908efa33f242fde296386bdd66594988491f670918b33

Download Submit
memory/216-86-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/756-82-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1968-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2508-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3244-76-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3244-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4416-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4844-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4844-80-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4912-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4912-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download