Overview

overview

1

Static

static

1

Free Exm T....0.bat

windows10-2004-x64

1

Free Exm T....0.bat

windows10-1703-x64

1

Analysis

  • max time kernel
    133s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/03/2024, 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Free Exm Tweaking Utility 3.0.bat

  • Size

    167KB

  • MD5

    fa1e91d4f21e8a6c82151ffe115223c5

  • SHA1

    cd33a6df1ca99df369aada9d52060f307ccc7871

  • SHA256

    9d3d3f3b38a350f6e8bdab3c9077694fd1f36e716fda7b3c115cdc840c545b26

  • SHA512

    b16a306c0bb5bb80eb21ad56e94878da099fd5a2497e26d119cbe65947ce4baf15588056ed92fa84687e647cbc5988a128a243b88ae26cdb81086126830ee9a6

  • SSDEEP

    768:x3sHArcYtdZ9UymYSzDWqsaIZz+QOBRHEnSj+xSKD/jRnRt5hwWbUmPqoYEBs57m:dtr2ymYSznHEnSC/D/jRnxhwYBs57m

Score
1/10

Malware Config

Signatures

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Free Exm Tweaking Utility 3.0.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path Win32_UserAccount where name="Admin" get sid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\system32\findstr.exe
        findstr "S-"
        3⤵
          PID:3364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4724
      • C:\Windows\system32\reg.exe
        Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
        2⤵
          PID:4916
        • C:\Windows\system32\reg.exe
          Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
          2⤵
            PID:4572
          • C:\Windows\system32\reg.exe
            Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
            2⤵
              PID:1268
            • C:\Windows\system32\reg.exe
              Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
              2⤵
                PID:2936
              • C:\Windows\system32\chcp.com
                chcp 65001
                2⤵
                  PID:800
                • C:\Windows\system32\timeout.exe
                  timeout /t 1 /nobreak
                  2⤵
                  • Delays execution with timeout.exe
                  PID:5080
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  2⤵
                    PID:1520

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11vrar1d.df2.ps1
                  Filesize

                  1B

                  MD5

                  c4ca4238a0b923820dcc509a6f75849b

                  SHA1

                  356a192b7913b04c54574d18c28d46e6395428ab

                  SHA256

                  6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                  SHA512

                  4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                  Download Submit

                • memory/4724-5-0x00007FF8CDE10000-0x00007FF8CE7FC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/4724-4-0x000001DE7FA80000-0x000001DE7FAA2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4724-7-0x000001DE7F4E0000-0x000001DE7F4F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4724-9-0x000001DE7F4E0000-0x000001DE7F4F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4724-10-0x000001DE7FC30000-0x000001DE7FCA6000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/4724-28-0x000001DE7F4E0000-0x000001DE7F4F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4724-29-0x00007FF8CDE10000-0x00007FF8CE7FC000-memory.dmp

                  Filesize

                  9.9MB

                  Download