9d3d3f3b38a350f6e8bdab3c9077694fd1f36e716fda7b3c115cdc840c545b26

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free Exm Tweaking Utility 3.0.bat
Size

167KB
MD5

fa1e91d4f21e8a6c82151ffe115223c5
SHA1

cd33a6df1ca99df369aada9d52060f307ccc7871
SHA256

9d3d3f3b38a350f6e8bdab3c9077694fd1f36e716fda7b3c115cdc840c545b26
SHA512

b16a306c0bb5bb80eb21ad56e94878da099fd5a2497e26d119cbe65947ce4baf15588056ed92fa84687e647cbc5988a128a243b88ae26cdb81086126830ee9a6
SSDEEP

768:x3sHArcYtdZ9UymYSzDWqsaIZz+QOBRHEnSj+xSKD/jRnRt5hwWbUmPqoYEBs57m:dtr2ymYSznHEnSC/D/jRnxhwYBs57m

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3992	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1664	WMIC.exe
Token: SeSecurityPrivilege	1664	WMIC.exe
Token: SeTakeOwnershipPrivilege	1664	WMIC.exe
Token: SeLoadDriverPrivilege	1664	WMIC.exe
Token: SeSystemProfilePrivilege	1664	WMIC.exe
Token: SeSystemtimePrivilege	1664	WMIC.exe
Token: SeProfSingleProcessPrivilege	1664	WMIC.exe
Token: SeIncBasePriorityPrivilege	1664	WMIC.exe
Token: SeCreatePagefilePrivilege	1664	WMIC.exe
Token: SeBackupPrivilege	1664	WMIC.exe
Token: SeRestorePrivilege	1664	WMIC.exe
Token: SeShutdownPrivilege	1664	WMIC.exe
Token: SeDebugPrivilege	1664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1664	WMIC.exe
Token: SeRemoteShutdownPrivilege	1664	WMIC.exe
Token: SeUndockPrivilege	1664	WMIC.exe
Token: SeManageVolumePrivilege	1664	WMIC.exe
Token: 33	1664	WMIC.exe
Token: 34	1664	WMIC.exe
Token: 35	1664	WMIC.exe
Token: 36	1664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1664	WMIC.exe
Token: SeSecurityPrivilege	1664	WMIC.exe
Token: SeTakeOwnershipPrivilege	1664	WMIC.exe
Token: SeLoadDriverPrivilege	1664	WMIC.exe
Token: SeSystemProfilePrivilege	1664	WMIC.exe
Token: SeSystemtimePrivilege	1664	WMIC.exe
Token: SeProfSingleProcessPrivilege	1664	WMIC.exe
Token: SeIncBasePriorityPrivilege	1664	WMIC.exe
Token: SeCreatePagefilePrivilege	1664	WMIC.exe
Token: SeBackupPrivilege	1664	WMIC.exe
Token: SeRestorePrivilege	1664	WMIC.exe
Token: SeShutdownPrivilege	1664	WMIC.exe
Token: SeDebugPrivilege	1664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1664	WMIC.exe
Token: SeRemoteShutdownPrivilege	1664	WMIC.exe
Token: SeUndockPrivilege	1664	WMIC.exe
Token: SeManageVolumePrivilege	1664	WMIC.exe
Token: 33	1664	WMIC.exe
Token: 34	1664	WMIC.exe
Token: 35	1664	WMIC.exe
Token: 36	1664	WMIC.exe
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4020	2528	cmd.exe	89
PID 2528 wrote to memory of 4020	2528	cmd.exe	89
PID 4020 wrote to memory of 1664	4020	cmd.exe	90
PID 4020 wrote to memory of 1664	4020	cmd.exe	90
PID 4020 wrote to memory of 5012	4020	cmd.exe	91
PID 4020 wrote to memory of 5012	4020	cmd.exe	91
PID 2528 wrote to memory of 1736	2528	cmd.exe	93
PID 2528 wrote to memory of 1736	2528	cmd.exe	93
PID 2528 wrote to memory of 2932	2528	cmd.exe	95
PID 2528 wrote to memory of 2932	2528	cmd.exe	95
PID 2528 wrote to memory of 2092	2528	cmd.exe	97
PID 2528 wrote to memory of 2092	2528	cmd.exe	97
PID 2528 wrote to memory of 4608	2528	cmd.exe	98
PID 2528 wrote to memory of 4608	2528	cmd.exe	98
PID 2528 wrote to memory of 2868	2528	cmd.exe	99
PID 2528 wrote to memory of 2868	2528	cmd.exe	99
PID 2528 wrote to memory of 4132	2528	cmd.exe	100
PID 2528 wrote to memory of 4132	2528	cmd.exe	100
PID 2528 wrote to memory of 3992	2528	cmd.exe	102
PID 2528 wrote to memory of 3992	2528	cmd.exe	102
PID 2528 wrote to memory of 472	2528	cmd.exe	104
PID 2528 wrote to memory of 472	2528	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Free Exm Tweaking Utility 3.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:4608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:2868
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4132
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3992
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hgf1s5d.veb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1736-5-0x000002AED55D0000-0x000002AED55F2000-memory.dmp

Filesize
136KB

Download
memory/1736-10-0x00007FFA897D0000-0x00007FFA8A291000-memory.dmp

Filesize
10.8MB

Download
memory/1736-11-0x000002AED5610000-0x000002AED5620000-memory.dmp

Filesize
64KB

Download
memory/1736-12-0x000002AED5610000-0x000002AED5620000-memory.dmp

Filesize
64KB

Download
memory/1736-13-0x000002AED5610000-0x000002AED5620000-memory.dmp

Filesize
64KB

Download
memory/1736-16-0x00007FFA897D0000-0x00007FFA8A291000-memory.dmp

Filesize
10.8MB

Download