Overview

overview

10

Static

static

3

Optimizer.rar

windows7-x64

3

Optimizer.rar

windows10-2004-x64

3

Optimizer/...ps.cmd

windows7-x64

1

Optimizer/...ps.cmd

windows10-2004-x64

1

Optimizer/...os.cmd

windows7-x64

8

Optimizer/...os.cmd

windows10-2004-x64

8

Optimizer/...01.bat

windows7-x64

7

Optimizer/...01.bat

windows10-2004-x64

1

Optimizer/...02.bat

windows7-x64

4

Optimizer/...02.bat

windows10-2004-x64

1

Optimizer/...S..bat

windows7-x64

7

Optimizer/...S..bat

windows10-2004-x64

1

Optimizer/... 2.bat

windows7-x64

1

Optimizer/... 2.bat

windows10-2004-x64

1

Optimizer/...AM.bat

windows7-x64

1

Optimizer/...AM.bat

windows10-2004-x64

1

Optimizer/...op.ini

windows7-x64

1

Optimizer/...op.ini

windows10-2004-x64

1

Optimizer/...ar.bat

windows7-x64

7

Optimizer/...ar.bat

windows10-2004-x64

1

Optimizer/...ct.exe

windows7-x64

6

Optimizer/...ct.exe

windows10-2004-x64

8

Optimizer/... 1.reg

windows7-x64

1

Optimizer/... 1.reg

windows10-2004-x64

1

Optimizer/...os.lnk

windows7-x64

3

Optimizer/...os.lnk

windows10-2004-x64

3

Optimizer/...te.bat

windows7-x64

10

Optimizer/...te.bat

windows10-2004-x64

10

Optimizer/...ca.bat

windows7-x64

7

Optimizer/...ca.bat

windows10-2004-x64

1

Optimizer/...�O.bat

windows7-x64

9

Optimizer/...�O.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Optimizer/Pack Optimization/1. Otimizar Windows/+FPS/Desabilitar Serviços.cmd

  • Size

    1KB

  • MD5

    883d6b95f1dd95e5a17febc03735152e

  • SHA1

    23c76b6bbd615934d309c0f6df0161a2dd8f19a6

  • SHA256

    f0c263cba371d8655ce5b551bbfe36ea5f9991baf204a7be428d5c483eac3b88

  • SHA512

    23bd52aaf707f542da4f2262a0ba0f161ffaa853241c5b27c9f377f81f1d50e64a6ff84c6a6db31702ef9fb4ffef532da4ee9032fc1f7bd173ffadeb1f0b60a0

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Launches sc.exe 12 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Optimizer\Pack Optimization\1. Otimizar Windows\+FPS\Desabilitar Serviços.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic service where name='SysMain' call ChangeStartmode Disabled
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\system32\sc.exe
      sc stop "SysMain"
      2⤵
      • Launches sc.exe
      PID:3064
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic service where name='wisvc' call ChangeStartmode Disabled
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\system32\sc.exe
      sc stop "wisvc"
      2⤵
      • Launches sc.exe
      PID:2700
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic service where name='icssvc' call ChangeStartmode Disabled
      2⤵
        PID:2460
      • C:\Windows\system32\sc.exe
        sc stop "icssvc"
        2⤵
        • Launches sc.exe
        PID:2340
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic service where name='Fax' call ChangeStartmode Disabled
        2⤵
          PID:2516
        • C:\Windows\system32\sc.exe
          sc stop "Fax"
          2⤵
          • Launches sc.exe
          PID:2548
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic service where name='SessionEnv' call ChangeStartmode Disabled
          2⤵
            PID:2556
          • C:\Windows\system32\sc.exe
            sc stop "SessionEnv"
            2⤵
            • Launches sc.exe
            PID:2380
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic service where name='TermService' call ChangeStartmode Disabled
            2⤵
              PID:2392
            • C:\Windows\system32\sc.exe
              sc stop "TermService"
              2⤵
              • Launches sc.exe
              PID:2364
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic service where name='bthserv' call ChangeStartmode Disabled
              2⤵
                PID:2408
              • C:\Windows\system32\sc.exe
                sc stop "bthserv"
                2⤵
                • Launches sc.exe
                PID:2188
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic service where name='TabletInputService' call ChangeStartmode Disabled
                2⤵
                  PID:1856
                • C:\Windows\system32\sc.exe
                  sc stop "TabletInputService"
                  2⤵
                  • Launches sc.exe
                  PID:324
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic service where name='DiagTrack' call ChangeStartmode Disabled
                  2⤵
                    PID:2316
                  • C:\Windows\system32\sc.exe
                    sc stop "DiagTrack"
                    2⤵
                    • Launches sc.exe
                    PID:576
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic service where name='DPS' call ChangeStartmode Disabled
                    2⤵
                      PID:812
                    • C:\Windows\system32\sc.exe
                      sc stop "DPS"
                      2⤵
                      • Launches sc.exe
                      PID:904
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic service where name='DoSvc' call ChangeStartmode Disabled
                      2⤵
                        PID:552
                      • C:\Windows\system32\sc.exe
                        sc stop "DoSvc"
                        2⤵
                        • Launches sc.exe
                        PID:1840
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic service where name='WpnService' call ChangeStartmode Disabled
                        2⤵
                          PID:1488
                        • C:\Windows\system32\sc.exe
                          sc stop "WpnService"
                          2⤵
                          • Launches sc.exe
                          PID:536

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads