e5ef2dc8b98c0e51ffc6577c9e4b8ecb5511526c9025bcee39644b83ffed093b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZXNDER PANEL PY.bat
Size

14KB
MD5

cedcbf5186ac08c5652f849e5ad1a8f5
SHA1

00027a87617f74b798c57cbf0e552a98a5d31449
SHA256

e5ef2dc8b98c0e51ffc6577c9e4b8ecb5511526c9025bcee39644b83ffed093b
SHA512

58b2eba4c44ef920ad859430bb68bdacbe9baf5080d39dcdb2efef2ab94c1ef3b24704c7b4d1ed89bfccce57a56b9fd99bb5d5401d145fe9e51f2ad7494ef0ef
SSDEEP

384:u23YEQpLuLpDq7QYfLGMV+jasHHLgLxL23YEsMp6S23YEQpLuLpDq7QYfLGMV+jm:u23YEBJA23YEsMpv23YEBJA23YEsMpq

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZXNDER PANEL PY.bat"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
4984	reg.exe
3164	reg.exe
3084	reg.exe
3556	reg.exe
2772	reg.exe
892	reg.exe
2612	reg.exe
5024	reg.exe
3828	reg.exe
4904	reg.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe
Token: SeSystemtimePrivilege	1524	cmd.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1312	1524	cmd.exe	90
PID 1524 wrote to memory of 1312	1524	cmd.exe	90
PID 1524 wrote to memory of 3556	1524	cmd.exe	91
PID 1524 wrote to memory of 3556	1524	cmd.exe	91
PID 1524 wrote to memory of 2772	1524	cmd.exe	98
PID 1524 wrote to memory of 2772	1524	cmd.exe	98
PID 1524 wrote to memory of 892	1524	cmd.exe	100
PID 1524 wrote to memory of 892	1524	cmd.exe	100
PID 1524 wrote to memory of 1968	1524	cmd.exe	101
PID 1524 wrote to memory of 1968	1524	cmd.exe	101
PID 1524 wrote to memory of 2624	1524	cmd.exe	102
PID 1524 wrote to memory of 2624	1524	cmd.exe	102
PID 1524 wrote to memory of 3688	1524	cmd.exe	103
PID 1524 wrote to memory of 3688	1524	cmd.exe	103
PID 1524 wrote to memory of 4448	1524	cmd.exe	107
PID 1524 wrote to memory of 4448	1524	cmd.exe	107
PID 1524 wrote to memory of 2612	1524	cmd.exe	108
PID 1524 wrote to memory of 2612	1524	cmd.exe	108
PID 1524 wrote to memory of 5024	1524	cmd.exe	109
PID 1524 wrote to memory of 5024	1524	cmd.exe	109
PID 1524 wrote to memory of 1624	1524	cmd.exe	110
PID 1524 wrote to memory of 1624	1524	cmd.exe	110
PID 1524 wrote to memory of 1620	1524	cmd.exe	111
PID 1524 wrote to memory of 1620	1524	cmd.exe	111
PID 1524 wrote to memory of 664	1524	cmd.exe	112
PID 1524 wrote to memory of 664	1524	cmd.exe	112
PID 1524 wrote to memory of 3828	1524	cmd.exe	113
PID 1524 wrote to memory of 3828	1524	cmd.exe	113
PID 1524 wrote to memory of 3164	1524	cmd.exe	114
PID 1524 wrote to memory of 3164	1524	cmd.exe	114
PID 1524 wrote to memory of 4448	1524	cmd.exe	116
PID 1524 wrote to memory of 4448	1524	cmd.exe	116
PID 1524 wrote to memory of 5080	1524	cmd.exe	117
PID 1524 wrote to memory of 5080	1524	cmd.exe	117
PID 1524 wrote to memory of 5096	1524	cmd.exe	118
PID 1524 wrote to memory of 5096	1524	cmd.exe	118
PID 1524 wrote to memory of 4456	1524	cmd.exe	119
PID 1524 wrote to memory of 4456	1524	cmd.exe	119
PID 1524 wrote to memory of 3084	1524	cmd.exe	120
PID 1524 wrote to memory of 3084	1524	cmd.exe	120
PID 1524 wrote to memory of 3556	1524	cmd.exe	121
PID 1524 wrote to memory of 3556	1524	cmd.exe	121
PID 1524 wrote to memory of 1708	1524	cmd.exe	122
PID 1524 wrote to memory of 1708	1524	cmd.exe	122
PID 1524 wrote to memory of 1048	1524	cmd.exe	123
PID 1524 wrote to memory of 1048	1524	cmd.exe	123
PID 1524 wrote to memory of 1980	1524	cmd.exe	124
PID 1524 wrote to memory of 1980	1524	cmd.exe	124
PID 1524 wrote to memory of 4904	1524	cmd.exe	125
PID 1524 wrote to memory of 4904	1524	cmd.exe	125
PID 1524 wrote to memory of 4984	1524	cmd.exe	126
PID 1524 wrote to memory of 4984	1524	cmd.exe	126

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ZXNDER PANEL PY.bat"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:1312
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:2772
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:892
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:2624
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:3688
- C:\Windows\system32\reg.exe
  Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\ZXNDER PANEL PY.bat" /f
  2⤵
  PID:4448
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:2612
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:5024
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:1620
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:3828
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:3164
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:4448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:5080
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\ZXNDER PANEL PY.bat" /f
  2⤵
  - Adds Run key to start application
  PID:4456
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:3084
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:3556
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
  2⤵
  PID:1708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:1048
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL,SwapMouseButton
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:4904
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\ZXNDER PANEL PY.bat /f
  2⤵
  - Modifies registry key
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
40B

MD5
4beb3d3ce44c8fb785d53871ad0467ff

SHA1
c022a572436316d1f2a96a286294e06becca9679

SHA256
c7624fe3940e62e3c19895431b405fef48c3acb354853960eefbe771d23b33d6

SHA512
65faed7322585b9f01109c75e606c54c45d2d449461ec59953ac9da97f8b37eeb1ffc8d6602fc742d019fc0c8591cf8e02450afe8c3991fbcdda78134187a382

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
50B

MD5
7a618fb3fad3280d26d442a6a493f77a

SHA1
39969ca16227024420a3be865a34814811dc3ce0

SHA256
3e0187aa1cebeccf876650871eeed24156c46f07b2c0757bf4780984b98b73c7

SHA512
4be38d1dd67524cf843c7e06bb044040a307383a58245580eaffb2e367c5940babfcb0309cb03e5b874e1feb1724387d1c17e5553ac7e58db43ce5e0883b799a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
20B

MD5
30ae0aec3249443cc7346db76b737433

SHA1
1216ed17761766ee3cc9f3e4c824e3e5e67b5056

SHA256
c018103bce0c072bc77d86abb55630e54bae6f50c6298d7c7ceb6928c267d9af

SHA512
4ab5303f3ac7b0e932ee4cdbcfcdaa4ad74df33037e4bb79137bde758d7fd896f46c0f15bf78727e55013e57aa4e63227fab666d65ea5d3d7fa7edf3e97097b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
10B

MD5
7aba77b3cbdf0b7c78cee71d55dd6f50

SHA1
e1c06f4fc0029aa239aa2a8d5d6a0ec6bbd89516

SHA256
9b972e91c3c303336561ca43420e9a808c34812246b9fe6d85c22bf005254e3a

SHA512
d6e8770db9f96c32dc76fa2d8a78f50a24938be6e2aabd3214080a4db0ec497ec5ce6ae1b481d8b0bb442779812e7222e435d8f5e6b5dd763c46a959a4c14f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
30B

MD5
34374526fb4468f01ebbafec553cac26

SHA1
d239e5286cacc86ef3259282e24a8a867d4e20cd

SHA256
348110541899592dbbe15764caf4a7e0b63a32a9db056b8eb106a4a2b4c3ff03

SHA512
108f8312b9636cf28c94f7e9011cb2ed397e20876b0a0f245cc5f792383c6b5a13bfecf1ac70e79a74e08347166bb529854f8116bc6640c564c455196f5689d4

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
29007daf0f70042d4c5206118912c622

SHA1
02363b83694d45663ec253f65f14db889d9d253a

SHA256
656a1eb73cf2e4b101e46beee6c9f238f2c4b1e52f501f6b05299376984b6f55

SHA512
9a1e092fb8bdaad408bccc68c7a1b8164916e6bd75ff15f5ca7b33b05ee3bb3d66f8d2ae357866fc4d54921cf35007ad2cd840e8f4f79a23d6569a5c5cdcc565

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
23135f164a1a9bdc9bb60bfad120bd2c

SHA1
74fc0df0af300530f7989091b6f95bd3d7699d2e

SHA256
f16d72524d3ebed82501d4fa5affb04d434e73fdc6bad7cda55d1806552db021

SHA512
e3f6262a84105bb4d31493225e2a0b4a037f1e0eae92746f2ae71b00f1fb35b141af1fc73853163c7197f18d81d7503ccb62b97afe53b1b229baef3478d2042b

Download Submit
C:\mail.vbs

Filesize
594B

MD5
50a0f2c8f944530dda038230175f07a8

SHA1
4032ac8c0e87aaefb16bb3b20b247a015ef89e7c

SHA256
5aff9365762d3c8930d63bd682d4b5b917df9526561aeb56afbfcb8cfc1aa49d

SHA512
f8ef6d9897856bb302f69a34d5626bba638141bcafa707149119111b479056cb5e7ea43b19ac5309f8eeb6529164ddbea769542a7373fa4e18333e498631e40b

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
b455db8e82931b2602fe36a8e062a1ff

SHA1
92a507d9f85f6396579e7fea8472d8339655c8cb

SHA256
4dad6f1ea3ec92e97102cb87616b140d0daefad5c7f84bac3efa48f80de74d51

SHA512
6b4d1c87fc8ba09ebe3ebffe7193d2ac5dd5a0a9d7fcab5a3d0a4d54bec5ed80d1aaf45fe409634b136331483a415e8bf937ba8d898b7043e3fb24b53469d85a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads