0d4b8ffecfb9257cb67f67ffdbbe31e331676bf91dd2f24d0d3ead1d4e77da5a

Analysis

max time kernel
134s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
03-03-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[4] S-Timer Setup.bat
Size

37KB
MD5

f21e87eb93952e2a86176a42ab9a8d2f
SHA1

081e25c2f5126a0a89abb329f5331b612059b290
SHA256

870790458076c212623be6ece4afb76e664527842d433a1a6722fb1ccec83eab
SHA512

9356d57a8f76d6435dc0287d0c588a55aaddecbff05880ee37c5b62e5b9ecf5bb7e3424796a35cc35a8bfb2e7725625dda0d706d63d9948e39cf2992fcaf07b9
SSDEEP

384:Z1/hRAeXQqXpjGKKKKaBkeBwnPLZL/yq3YmwULZSO1WYbmsfQk:Z1/hRtAqXpKKKKKaBke+Wcr

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SetTimerResolution.lnk powershell.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2468 sc.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1996 timeout.exe
3020 timeout.exe
4496 timeout.exe
2692 timeout.exe
252 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3060 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2592 powershell.exe
2592 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3060 taskkill.exe
Token: SeDebugPrivilege 2592 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SetTimerResolution.lnk	powershell.exe

pid	process
2468	sc.exe

pid	process
1996	timeout.exe
3020	timeout.exe
4496	timeout.exe
2692	timeout.exe
252	timeout.exe

pid	process
3060	taskkill.exe

pid	process
2592	powershell.exe
2592	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 1496 wrote to memory of 1996	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1996	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1824	1496	cmd.exe	net.exe
PID 1496 wrote to memory of 1824	1496	cmd.exe	net.exe
PID 1824 wrote to memory of 1728	1824	net.exe	net1.exe
PID 1824 wrote to memory of 1728	1824	net.exe	net1.exe
PID 1496 wrote to memory of 2468	1496	cmd.exe	sc.exe
PID 1496 wrote to memory of 2468	1496	cmd.exe	sc.exe
PID 1496 wrote to memory of 3060	1496	cmd.exe	taskkill.exe
PID 1496 wrote to memory of 3060	1496	cmd.exe	taskkill.exe
PID 1496 wrote to memory of 3020	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 3020	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 4496	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 4496	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 2592	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 2592	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 2692	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 2692	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 252	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 252	1496	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\[4] S-Timer Setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\timeout.exe
timeout /t 2
2⤵
- Delays execution with timeout.exe
PID:1996

C:\Windows\system32\net.exe
net stop "STR"
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "STR"
3⤵
PID:1728

C:\Windows\system32\sc.exe
sc delete STR
2⤵
- Launches sc.exe
PID:2468

C:\Windows\system32\taskkill.exe
taskkill /f /im SetTimerResolution.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\timeout.exe
timeout /t 3
2⤵
- Delays execution with timeout.exe
PID:3020

C:\Windows\system32\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut([System.Environment]::GetFolderPath('Startup') + '\SetTimerResolution.lnk'); $Shortcut.TargetPath = 'C:\SetTimerResolution.exe'; $Shortcut.Arguments = '--resolution 5000 --no-console'; $Shortcut.Save()"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\timeout.exe
timeout /t 3
2⤵
- Delays execution with timeout.exe
PID:2692

C:\Windows\system32\timeout.exe
timeout /t 3
2⤵
- Delays execution with timeout.exe
PID:252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SetTimerResolution.exe

Filesize
134KB

MD5
b74c54b371ecc63abcb6b5ef839ba35a

SHA1
9cf7898b33a94b183ff7be491d5e7eaa9933174a

SHA256
6da88784280eda75df911a43b7e6153921af308a269d39333b6683ea0dc679da

SHA512
383d76746f0d1eb960a9bf95932bfe0f023f0e413ec87c4dcbec5db0d1440e541832690e5801cd1bd223ed35a4cf6da329916351c7dc36d4c9b0e0ae6bf89365

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbrp0r55.nob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2592-7-0x00000161E94E0000-0x00000161E9502000-memory.dmp

Filesize
136KB

Download
memory/2592-11-0x00007FFB0EC30000-0x00007FFB0F6F2000-memory.dmp

Filesize
10.8MB

Download
memory/2592-12-0x00000161E9630000-0x00000161E9640000-memory.dmp

Filesize
64KB

Download
memory/2592-13-0x00000161E9630000-0x00000161E9640000-memory.dmp

Filesize
64KB

Download
memory/2592-18-0x00007FFB0EC30000-0x00007FFB0F6F2000-memory.dmp

Filesize
10.8MB

Download