Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2024 22:18

Errors

Reason
Machine shutdown

General

  • Target

    KernelOS21H2.bat

  • Size

    38KB

  • MD5

    bcd25445d0d143defaefeb34257baf60

  • SHA1

    1baf57d0ac9db658f642d50b2c61b818b9036924

  • SHA256

    6e7280bbd4c2ae300182de2507317fe1ab100404df897f06650190dd45e7f773

  • SHA512

    40b9c6809559293430134276d36c0bc7e7d36e256dfeb2f9cc75a88650241b32e771b6bb1ea12823ce7aa0e89cd81ac0acf73737cbd69d9051398817f8fbf56f

  • SSDEEP

    768:lTOLfw09oGDbfrdAUY5eCNldf2BWt9vOjfEv+/ZcbXmB9ofdfv3h8f+q1wqk:hku

Score
9/10

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 7 IoCs
  • Stops running service(s) 3 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 15 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\system32\chcp.com
        chcp
        3⤵
          PID:5068
      • C:\Windows\system32\chcp.com
        chcp 708
        2⤵
          PID:2004
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat" "
          2⤵
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4284
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im explorer.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\system32\timeout.exe
            timeout /t 5 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2316
          • C:\Windows\system32\powercfg.exe
            powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6 IDLE ON.pow" 01001011-0100-1111-0101-001188888884
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
          • C:\Windows\system32\powercfg.exe
            powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.pow" 01001011-0100-1111-0101-001188888883
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4268
          • C:\Windows\system32\powercfg.exe
            powercfg /s 01001011-0100-1111-0101-001188888884
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4356
          • C:\Windows\system32\powercfg.exe
            powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\system32\powercfg.exe
            powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2812
          • C:\Windows\system32\powercfg.exe
            powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5012
          • C:\Windows\system32\timeout.exe
            timeout /t 5 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:208
          • C:\Windows\system32\timeout.exe
            timeout /t 2 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:928
          • C:\Windows\system32\timeout.exe
            timeout /t 5 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3508
          • C:\Windows\system32\timeout.exe
            timeout /t 5 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2556
          • C:\Windows\system32\timeout.exe
            timeout /t 5 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:380
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4760
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4032
          • C:\Windows\system32\bcdedit.exe
            bcdedit /timeout 10
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3568
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set useplatformtick Yes
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3916
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set disabledynamictick Yes
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:4152
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set bootmenupolicy Legacy
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:4192
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set quietboot On
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:4084
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set x2apicpolicy Disable
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:4444
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set nx OptIn
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3628
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:4136
          • C:\Windows\system32\timeout.exe
            timeout /t 3 /nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:332
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4724
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_networkadapter get GUID
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2956
            • C:\Windows\system32\findstr.exe
              findstr "{"
              4⤵
                PID:3432
            • C:\Windows\system32\reg.exe
              reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
              3⤵
                PID:680
              • C:\Windows\system32\reg.exe
                reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
                3⤵
                  PID:3132
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:2004
                  • C:\Windows\system32\timeout.exe
                    timeout /t 5 /nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:1696
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
                    3⤵
                      PID:4828
                    • C:\Windows\system32\reg.exe
                      REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
                      3⤵
                        PID:3644
                      • C:\Windows\system32\reg.exe
                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
                        3⤵
                          PID:2832
                        • C:\Windows\system32\sc.exe
                          sc delete nvagent
                          3⤵
                          • Launches sc.exe
                          PID:4876
                        • C:\Windows\system32\timeout.exe
                          timeout /t 5 /nobreak
                          3⤵
                          • Delays execution with timeout.exe
                          PID:4564
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
                          3⤵
                            PID:4760
                            • C:\Windows\system32\where.exe
                              where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
                              4⤵
                                PID:2268
                            • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --uninstall --system-level --verbose-logging --force-uninstall
                              3⤵
                              • Drops file in Program Files directory
                              PID:1888
                              • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6b95399a8,0x7ff6b95399b4,0x7ff6b95399c0
                                4⤵
                                • Drops file in Program Files directory
                                PID:4552
                            • C:\Windows\system32\sc.exe
                              sc delete edgeupdate
                              3⤵
                              • Launches sc.exe
                              PID:844
                            • C:\Windows\system32\sc.exe
                              sc delete edgeupdatem
                              3⤵
                              • Launches sc.exe
                              PID:3692
                            • C:\Windows\system32\timeout.exe
                              timeout /t 10 /nobreak
                              3⤵
                              • Delays execution with timeout.exe
                              PID:3448
                            • C:\Windows\system32\shutdown.exe
                              shutdown -r -f -t 7 -c "Please wait until your PC restarts..."
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5048
                            • C:\Windows\system32\timeout.exe
                              timeout /t 3 /nobreak
                              3⤵
                              • Delays execution with timeout.exe
                              PID:3432
                            • C:\Windows\system32\timeout.exe
                              timeout /t 4 /nobreak
                              3⤵
                              • Delays execution with timeout.exe
                              PID:680
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:2504
                          • C:\Windows\system32\LogonUI.exe
                            "LogonUI.exe" /flags:0x4 /state0:0xa3915055 /state1:0x41c64e6d
                            1⤵
                            • Modifies data under HKEY_USERS
                            • Suspicious use of SetWindowsHookEx
                            PID:1192

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                            Filesize

                            2KB

                            MD5

                            d136d3411d4aa688242c53cafb993aa6

                            SHA1

                            1a81cc78e3ca445d5a5193e49ddce26d5e25179f

                            SHA256

                            00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

                            SHA512

                            282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            64B

                            MD5

                            235a8eb126d835efb2e253459ab8b089

                            SHA1

                            293fbf68e6726a5a230c3a42624c01899e35a89f

                            SHA256

                            5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

                            SHA512

                            a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbvasocm.ohk.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • memory/1712-2-0x0000023841990000-0x00000238419B2000-memory.dmp

                            Filesize

                            136KB

                          • memory/1712-10-0x00007FFCE7A40000-0x00007FFCE8501000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/1712-11-0x0000023841930000-0x0000023841940000-memory.dmp

                            Filesize

                            64KB

                          • memory/1712-12-0x0000023841930000-0x0000023841940000-memory.dmp

                            Filesize

                            64KB

                          • memory/1712-13-0x0000023841930000-0x0000023841940000-memory.dmp

                            Filesize

                            64KB

                          • memory/1712-16-0x00007FFCE7A40000-0x00007FFCE8501000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3508-27-0x00007FFCE7C30000-0x00007FFCE86F1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3508-28-0x000002D0D41D0000-0x000002D0D41E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3508-29-0x000002D0D41D0000-0x000002D0D41E0000-memory.dmp

                            Filesize

                            64KB

                          • memory/3508-31-0x000002D0D6F70000-0x000002D0D6F86000-memory.dmp

                            Filesize

                            88KB

                          • memory/3508-32-0x000002D0D6F90000-0x000002D0D6F9A000-memory.dmp

                            Filesize

                            40KB

                          • memory/3508-33-0x000002D0D7150000-0x000002D0D7176000-memory.dmp

                            Filesize

                            152KB

                          • memory/3508-35-0x00007FFCE7C30000-0x00007FFCE86F1000-memory.dmp

                            Filesize

                            10.8MB