Overview
overview
7Static
static
7enb/Optimiser.dll
windows7-x64
3enb/Optimiser.dll
windows10-2004-x64
3enb/SAMP F...CU.bat
windows7-x64
1enb/SAMP F...CU.bat
windows10-2004-x64
1enb/SAMPGr...re.dll
windows7-x64
3enb/SAMPGr...re.dll
windows10-2004-x64
3enb/d3d9.dll
windows7-x64
1enb/d3d9.dll
windows10-2004-x64
1enb/enbser...er.dll
windows7-x64
3enb/enbser...er.dll
windows10-2004-x64
3enb/gta_sa.exe
windows7-x64
1enb/gta_sa.exe
windows10-2004-x64
1enb/msvcr100d.dll
windows7-x64
3enb/msvcr100d.dll
windows10-2004-x64
3Analysis
-
max time kernel
92s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
enb/Optimiser.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
enb/Optimiser.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
enb/SAMP FIX ENB W10 CU.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
enb/SAMP FIX ENB W10 CU.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
enb/SAMPGraphicRestore.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
enb/SAMPGraphicRestore.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
enb/d3d9.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
enb/d3d9.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
enb/enbseries/enbhelper.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
enb/enbseries/enbhelper.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
enb/gta_sa.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
enb/gta_sa.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
enb/msvcr100d.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral14
Sample
enb/msvcr100d.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
enb/SAMP FIX ENB W10 CU.bat
-
Size
2KB
-
MD5
238c91cce7bc82ccd22ee598d74ed42a
-
SHA1
ef99294639ff2cd6ac5ea1295dcd9fd0a50614c5
-
SHA256
d8e05d7fdafe19f5f58c06d59ee7ee60495981c7d7af6737233103a8777a00f9
-
SHA512
8c29c4c4dd1412465299944f88615fd35817a74cf8f85b0c32754936e59828469414a9cee6c236a96015cc69e559bf7013e7e4d32eca3755e10a9c9cc5b982a8
Malware Config
Signatures
-
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore reg.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2872 WMIC.exe Token: SeSecurityPrivilege 2872 WMIC.exe Token: SeTakeOwnershipPrivilege 2872 WMIC.exe Token: SeLoadDriverPrivilege 2872 WMIC.exe Token: SeSystemProfilePrivilege 2872 WMIC.exe Token: SeSystemtimePrivilege 2872 WMIC.exe Token: SeProfSingleProcessPrivilege 2872 WMIC.exe Token: SeIncBasePriorityPrivilege 2872 WMIC.exe Token: SeCreatePagefilePrivilege 2872 WMIC.exe Token: SeBackupPrivilege 2872 WMIC.exe Token: SeRestorePrivilege 2872 WMIC.exe Token: SeShutdownPrivilege 2872 WMIC.exe Token: SeDebugPrivilege 2872 WMIC.exe Token: SeSystemEnvironmentPrivilege 2872 WMIC.exe Token: SeRemoteShutdownPrivilege 2872 WMIC.exe Token: SeUndockPrivilege 2872 WMIC.exe Token: SeManageVolumePrivilege 2872 WMIC.exe Token: 33 2872 WMIC.exe Token: 34 2872 WMIC.exe Token: 35 2872 WMIC.exe Token: 36 2872 WMIC.exe Token: SeIncreaseQuotaPrivilege 2872 WMIC.exe Token: SeSecurityPrivilege 2872 WMIC.exe Token: SeTakeOwnershipPrivilege 2872 WMIC.exe Token: SeLoadDriverPrivilege 2872 WMIC.exe Token: SeSystemProfilePrivilege 2872 WMIC.exe Token: SeSystemtimePrivilege 2872 WMIC.exe Token: SeProfSingleProcessPrivilege 2872 WMIC.exe Token: SeIncBasePriorityPrivilege 2872 WMIC.exe Token: SeCreatePagefilePrivilege 2872 WMIC.exe Token: SeBackupPrivilege 2872 WMIC.exe Token: SeRestorePrivilege 2872 WMIC.exe Token: SeShutdownPrivilege 2872 WMIC.exe Token: SeDebugPrivilege 2872 WMIC.exe Token: SeSystemEnvironmentPrivilege 2872 WMIC.exe Token: SeRemoteShutdownPrivilege 2872 WMIC.exe Token: SeUndockPrivilege 2872 WMIC.exe Token: SeManageVolumePrivilege 2872 WMIC.exe Token: 33 2872 WMIC.exe Token: 34 2872 WMIC.exe Token: 35 2872 WMIC.exe Token: 36 2872 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4864 wrote to memory of 540 4864 cmd.exe 89 PID 4864 wrote to memory of 540 4864 cmd.exe 89 PID 540 wrote to memory of 2872 540 cmd.exe 90 PID 540 wrote to memory of 2872 540 cmd.exe 90 PID 4864 wrote to memory of 4704 4864 cmd.exe 93 PID 4864 wrote to memory of 4704 4864 cmd.exe 93 PID 4864 wrote to memory of 2536 4864 cmd.exe 94 PID 4864 wrote to memory of 2536 4864 cmd.exe 94 PID 4864 wrote to memory of 1808 4864 cmd.exe 95 PID 4864 wrote to memory of 1808 4864 cmd.exe 95 PID 4864 wrote to memory of 1084 4864 cmd.exe 96 PID 4864 wrote to memory of 1084 4864 cmd.exe 96 PID 4864 wrote to memory of 1076 4864 cmd.exe 97 PID 4864 wrote to memory of 1076 4864 cmd.exe 97 PID 4864 wrote to memory of 1352 4864 cmd.exe 98 PID 4864 wrote to memory of 1352 4864 cmd.exe 98 PID 4864 wrote to memory of 1980 4864 cmd.exe 99 PID 4864 wrote to memory of 1980 4864 cmd.exe 99
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enb\SAMP FIX ENB W10 CU.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic useraccount where "name='Admin'" get sid /value2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\System32\Wbem\WMIC.exewmic useraccount where "name='Admin'" get sid /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
C:\Windows\system32\reg.exeREG Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"2⤵PID:4704
-
-
C:\Windows\system32\reg.exeREG Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /f2⤵PID:2536
-
-
C:\Windows\system32\reg.exeREG Query "HKEY_USERS\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore"2⤵PID:1808
-
-
C:\Windows\system32\reg.exeREG Delete "HKEY_USERS\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore" /f2⤵
- Modifies Internet Explorer settings
PID:1084
-
-
C:\Windows\system32\reg.exeREG Query "HKEY_USERS\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"2⤵PID:1076
-
-
C:\Windows\system32\reg.exeREG Query "HKEY_USERS\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\MostRecentApplication"2⤵PID:1352
-
-
C:\Windows\system32\reg.exeREG Query "HKEY_USERS\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication"2⤵PID:1980
-