Analysis

  • max time kernel
    28s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 03:37

General

  • Target

    AntivirusDefender-main/AntivirusDefender3.2.bat

  • Size

    164B

  • MD5

    0559cbad4de4ff67440f857255584ac4

  • SHA1

    e75403dfca205ab43117b00e0300ade704fc0bf5

  • SHA256

    3c980efd376b67af91d4088d9bf7aa426eba9181e2c96738888ee148a6a4e141

  • SHA512

    138adf13cd645c38ed5a07bc398057f6ac967e06bffab8ba20c7cedcb3dcffe4402cd5cd988d0388f5ee186209038e452194926fed5d7ad80abff1003c9d1174

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 9 IoCs
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Modifies Installed Components in the registry 2 TTPs 61 IoCs
  • Registers new Print Monitor 2 TTPs 6 IoCs
  • Sets file execution options in registry 2 TTPs 42 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Modifies system executable filetype association 2 TTPs 45 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender3.2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\system32\mountvol.exe
      mountvol x: /s
      2⤵
        PID:320
      • C:\Windows\system32\icacls.exe
        icacls x:
        2⤵
        • Modifies file permissions
        PID:1548
      • C:\Windows\system32\icacls.exe
        icacls c:
        2⤵
        • Modifies file permissions
        PID:1732
      • C:\Windows\system32\reg.exe
        reg delete HKCR /f
        2⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Modifies registry class
        PID:1060
      • C:\Windows\system32\reg.exe
        reg delete HKCU /f
        2⤵
        • Manipulates Digital Signatures
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Modifies registry key
        PID:2632
      • C:\Windows\system32\reg.exe
        reg delete HKLM /f
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Modifies firewall policy service
        • Modifies security service
        • Manipulates Digital Signatures
        • Modifies Installed Components in the registry
        • Registers new Print Monitor
        • Sets file execution options in registry
        • Registers COM server for autorun
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Maps connected drives based on registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Modifies registry key
        PID:2644
      • C:\Windows\system32\reg.exe
        reg delete HKU /f
        2⤵
          PID:2860
        • C:\Windows\system32\reg.exe
          reg delete HKCC /f
          2⤵
            PID:2432

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads