11d968219765dd9d0c4b162535320ef8b5dffd1bcf387da8ea3c546679711067

Analysis

max time kernel
148s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231215-de
resource tags

arch:x64arch:x86image:win10-20231215-delocale:de-deos:windows10-1703-x64systemwindows
submitted
03/02/2024, 21:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GameOptimize.bat
Size

77KB
MD5

e7d4dc194b2c0323424915761914ddc0
SHA1

254de6d2ccb9842edd9a8123763531d0bd520ec7
SHA256

11d968219765dd9d0c4b162535320ef8b5dffd1bcf387da8ea3c546679711067
SHA512

6e6204de36488b1567ef253dacf50b9f2a74b7bc28c0c23003fce2d5b6a65ff5d0b64840b8157828355c6b593bff011ed818fcee0bae8c48c5d1aa74cec09d53
SSDEEP

768:z3rEb6dsF/gwIPC7NqGz6h8WSlw53Zppwu:YGwIPC7NqGz6hhSlMZppwu

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2656	timeout.exe
688	timeout.exe
4768	timeout.exe
1840	timeout.exe
4248	timeout.exe
628	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4236	3924	cmd.exe	74
PID 3924 wrote to memory of 4236	3924	cmd.exe	74
PID 3924 wrote to memory of 1592	3924	cmd.exe	75
PID 3924 wrote to memory of 1592	3924	cmd.exe	75
PID 3924 wrote to memory of 2696	3924	cmd.exe	78
PID 3924 wrote to memory of 2696	3924	cmd.exe	78
PID 3924 wrote to memory of 868	3924	cmd.exe	79
PID 3924 wrote to memory of 868	3924	cmd.exe	79
PID 3924 wrote to memory of 1804	3924	cmd.exe	80
PID 3924 wrote to memory of 1804	3924	cmd.exe	80
PID 3924 wrote to memory of 1324	3924	cmd.exe	81
PID 3924 wrote to memory of 1324	3924	cmd.exe	81
PID 3924 wrote to memory of 4264	3924	cmd.exe	82
PID 3924 wrote to memory of 4264	3924	cmd.exe	82
PID 3924 wrote to memory of 2656	3924	cmd.exe	83
PID 3924 wrote to memory of 2656	3924	cmd.exe	83
PID 3924 wrote to memory of 4780	3924	cmd.exe	84
PID 3924 wrote to memory of 4780	3924	cmd.exe	84
PID 3924 wrote to memory of 688	3924	cmd.exe	85
PID 3924 wrote to memory of 688	3924	cmd.exe	85
PID 3924 wrote to memory of 3356	3924	cmd.exe	86
PID 3924 wrote to memory of 3356	3924	cmd.exe	86
PID 3924 wrote to memory of 3488	3924	cmd.exe	87
PID 3924 wrote to memory of 3488	3924	cmd.exe	87
PID 3924 wrote to memory of 1392	3924	cmd.exe	88
PID 3924 wrote to memory of 1392	3924	cmd.exe	88
PID 3924 wrote to memory of 4768	3924	cmd.exe	89
PID 3924 wrote to memory of 4768	3924	cmd.exe	89
PID 3924 wrote to memory of 1840	3924	cmd.exe	90
PID 3924 wrote to memory of 1840	3924	cmd.exe	90
PID 3924 wrote to memory of 4248	3924	cmd.exe	91
PID 3924 wrote to memory of 4248	3924	cmd.exe	91
PID 3924 wrote to memory of 628	3924	cmd.exe	92
PID 3924 wrote to memory of 628	3924	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GameOptimize.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:1324
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4264
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2656
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4780
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:688
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\nvidiaProfileInspector.zip' -DestinationPath 'C:\Exmfree\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1392
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4768
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1840
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4248
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
17286868c0a043ae5d2ff5798b6a3163

SHA1
b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

SHA256
40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

SHA512
e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c374f0120a53268b61cc512abe33f41

SHA1
8fb3c9f799d5ef94c6aebb2ff3ad11e8a949f6fa

SHA256
106ab9b1c9472e391c093f0a7e75acb0ad6a6a441e78387a7cda8fb452892917

SHA512
6f5b7add9ffea62aa267aad661685e85d5e3b843ab8531e9431bc1efa5e9d1524e96356b92c1aa24dbc19bb83ae1580c45e6448b72f1d7232be59173c1a51e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnkw0whk.4md.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1592-8-0x00000250BC4F0000-0x00000250BC500000-memory.dmp

Filesize
64KB

Download
memory/1592-6-0x00007FFF09230000-0x00007FFF09C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-4-0x00000250BC330000-0x00000250BC3B6000-memory.dmp

Filesize
536KB

Download
memory/1592-7-0x00000250BC500000-0x00000250BC522000-memory.dmp

Filesize
136KB

Download
memory/1592-13-0x00000250BC6C0000-0x00000250BC736000-memory.dmp

Filesize
472KB

Download
memory/1592-9-0x00000250BC4F0000-0x00000250BC500000-memory.dmp

Filesize
64KB

Download
memory/1592-28-0x00000250BC4F0000-0x00000250BC500000-memory.dmp

Filesize
64KB

Download
memory/1592-32-0x00007FFF09230000-0x00007FFF09C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-5-0x00000250A3CF0000-0x00000250A3D00000-memory.dmp

Filesize
64KB

Download
memory/1592-10-0x00000250BC530000-0x00000250BC634000-memory.dmp

Filesize
1.0MB

Download
memory/3488-37-0x00007FFF09230000-0x00007FFF09C1C000-memory.dmp

Filesize
9.9MB

Download
memory/3488-40-0x000001BC20F30000-0x000001BC20F40000-memory.dmp

Filesize
64KB

Download
memory/3488-38-0x000001BC20F30000-0x000001BC20F40000-memory.dmp

Filesize
64KB

Download
memory/3488-64-0x000001BC20F30000-0x000001BC20F40000-memory.dmp

Filesize
64KB

Download
memory/3488-65-0x000001BC398D0000-0x000001BC398E6000-memory.dmp

Filesize
88KB

Download
memory/3488-135-0x000001BC20F30000-0x000001BC20F40000-memory.dmp

Filesize
64KB

Download
memory/3488-138-0x00007FFF09230000-0x00007FFF09C1C000-memory.dmp

Filesize
9.9MB

Download