Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-04-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
bsod.bat
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bsod.bat
Resource
win10-20240404-en
windows10-1703-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
bsod.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral4
Sample
bsod.bat
Resource
win11-20240419-en
windows11-21h2-x64
9 signatures
150 seconds
General
-
Target
bsod.bat
-
Size
5KB
-
MD5
21b0fedde7a4eecc4db3a5e7f867e9af
-
SHA1
0e4f272b861b0fb5e0a665b1e985f49f596a80e0
-
SHA256
fc760c67dfe939989f0d83fdb2deef71db40e4a552ab558c96e79561756ada35
-
SHA512
213e0b7a7346416422618145bbb458f2f6ea962f608e14bfa21e4403d025f7ea4252c192453734f58df46d0b48f91993c2778bc922990b1e66cd23ece03a8f0d
-
SSDEEP
96:zw6Q+I7lvQcbP6RbhoYEt8H2ZXAGOks+ELAuqrDUccLrD1g:TG4elgccL3S
Score
7/10
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 4 IoCs
pid Process 3224 takeown.exe 3368 takeown.exe 3588 takeown.exe 4036 takeown.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE -
Drops file in Program Files directory 40 IoCs
description ioc Process File created C:\Program Files\UnblockProtect.cfg.locked cmd.exe File created C:\Program Files\7-Zip\7-zip.dll.locked cmd.exe File created C:\Program Files\PingMerge.snd.locked cmd.exe File created C:\Program Files\PushStep.rle.locked cmd.exe File created C:\Program Files\RepairCopy.fon.locked cmd.exe File created C:\Program Files\ResizeShow.edrwx.locked cmd.exe File created C:\Program Files\TestUnprotect.tif.locked cmd.exe File created C:\Program Files\7-Zip\7-zip32.dll.locked cmd.exe File created C:\Program Files\ConnectRedo.midi.locked cmd.exe File created C:\Program Files\HideDisconnect.wmf.locked cmd.exe File created C:\Program Files\OpenWait.emz.locked cmd.exe File created C:\Program Files\RenameResolve.pub.locked cmd.exe File created C:\Program Files\SwitchCheckpoint.mpa.locked cmd.exe File created C:\Program Files\WaitSearch.vbe.locked cmd.exe File created C:\Program Files\7-Zip\7z.dll.locked cmd.exe File created C:\Program Files\CompressDeny.au3.locked cmd.exe File created C:\Program Files\MountAdd.rar.locked cmd.exe File created C:\Program Files\ProtectDismount.vbs.locked cmd.exe File created C:\Program Files\SearchRestart.php.locked cmd.exe File created C:\Program Files\UnlockApprove.iso.locked cmd.exe File created C:\Program Files\MeasureSet.gif.locked cmd.exe File created C:\Program Files\7-Zip\7z.exe.locked cmd.exe File created C:\Program Files\OpenUnregister.tiff.locked cmd.exe File created C:\Program Files\OptimizePublish.txt.locked cmd.exe File created C:\Program Files\OutConfirm.001.locked cmd.exe File created C:\Program Files\OutRestart.png.locked cmd.exe File created C:\Program Files\PingWatch.aiff.locked cmd.exe File created C:\Program Files\SuspendPush.rmi.locked cmd.exe File created C:\Program Files\7-Zip\7-zip.chm.locked cmd.exe File created C:\Program Files\7-Zip\7zCon.sfx.locked cmd.exe File created C:\Program Files\7-Zip\7zFM.exe.locked cmd.exe File created C:\Program Files\7-Zip\History.txt.locked cmd.exe File created C:\Program Files\7-Zip\descript.ion.locked cmd.exe File created C:\Program Files\ResetOpen.WTV.locked cmd.exe File created C:\Program Files\UnlockMount.rmi.locked cmd.exe File created C:\Program Files\WriteResume.raw.locked cmd.exe File created C:\Program Files\7-Zip\7z.sfx.locked cmd.exe File created C:\Program Files\7-Zip\7zG.exe.locked cmd.exe File created C:\Program Files\ExportApprove.html.locked cmd.exe File created C:\Program Files\ProtectGroup.xps.locked cmd.exe -
Kills process with taskkill 2 IoCs
pid Process 2900 taskkill.exe 3440 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1532 Process not Found 4636 Process not Found 1796 Process not Found 3420 Process not Found 4848 Process not Found 1052 Process not Found 5032 Process not Found 784 Process not Found 2988 Process not Found 4244 Process not Found 4488 Process not Found 5040 Process not Found 3580 Process not Found 4176 Process not Found 2112 Process not Found 2480 Process not Found 2800 Process not Found 1744 Process not Found 1540 Process not Found 2460 Process not Found 2628 Process not Found 1692 Process not Found 4656 Process not Found 3336 Process not Found 1756 Process not Found 2840 Process not Found 1224 Process not Found 1780 Process not Found 776 Process not Found 380 Process not Found 4924 Process not Found 1152 Process not Found 3724 Process not Found 1956 Process not Found 4016 Process not Found 4340 Process not Found 4748 Process not Found 4008 Process not Found 2436 Process not Found 2776 Process not Found 2760 Process not Found 2796 Process not Found 3980 Process not Found 3140 Process not Found 1396 Process not Found 4524 Process not Found 3924 Process not Found 4892 Process not Found 3768 Process not Found 4428 Process not Found 4580 Process not Found 4552 Process not Found 3308 Process not Found 4548 Process not Found 3104 Process not Found 3404 Process not Found 3324 Process not Found 3640 Process not Found 3956 Process not Found 3124 Process not Found 3588 Process not Found 2212 Process not Found 4036 Process not Found 4320 Process not Found -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3588 takeown.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 3440 taskkill.exe Token: SeCreateGlobalPrivilege 4352 dwm.exe Token: SeChangeNotifyPrivilege 4352 dwm.exe Token: 33 4352 dwm.exe Token: SeIncBasePriorityPrivilege 4352 dwm.exe Token: SeCreateGlobalPrivilege 3168 dwm.exe Token: SeChangeNotifyPrivilege 3168 dwm.exe Token: 33 3168 dwm.exe Token: SeIncBasePriorityPrivilege 3168 dwm.exe Token: SeCreateGlobalPrivilege 836 dwm.exe Token: SeChangeNotifyPrivilege 836 dwm.exe Token: 33 836 dwm.exe Token: SeIncBasePriorityPrivilege 836 dwm.exe Token: SeCreateGlobalPrivilege 2972 dwm.exe Token: SeChangeNotifyPrivilege 2972 dwm.exe Token: 33 2972 dwm.exe Token: SeIncBasePriorityPrivilege 2972 dwm.exe Token: SeCreateGlobalPrivilege 900 dwm.exe Token: SeChangeNotifyPrivilege 900 dwm.exe Token: 33 900 dwm.exe Token: SeIncBasePriorityPrivilege 900 dwm.exe Token: SeCreateGlobalPrivilege 4912 dwm.exe Token: SeChangeNotifyPrivilege 4912 dwm.exe Token: 33 4912 dwm.exe Token: SeIncBasePriorityPrivilege 4912 dwm.exe Token: SeCreateGlobalPrivilege 3360 dwm.exe Token: SeChangeNotifyPrivilege 3360 dwm.exe Token: 33 3360 dwm.exe Token: SeIncBasePriorityPrivilege 3360 dwm.exe Token: SeCreateGlobalPrivilege 1640 dwm.exe Token: SeChangeNotifyPrivilege 1640 dwm.exe Token: 33 1640 dwm.exe Token: SeIncBasePriorityPrivilege 1640 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3700 LogonUI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4660 wrote to memory of 3224 4660 cmd.exe 81 PID 4660 wrote to memory of 3224 4660 cmd.exe 81 PID 4660 wrote to memory of 3368 4660 cmd.exe 82 PID 4660 wrote to memory of 3368 4660 cmd.exe 82 PID 4660 wrote to memory of 3588 4660 cmd.exe 83 PID 4660 wrote to memory of 3588 4660 cmd.exe 83 PID 4660 wrote to memory of 4036 4660 cmd.exe 84 PID 4660 wrote to memory of 4036 4660 cmd.exe 84 PID 4660 wrote to memory of 2900 4660 cmd.exe 85 PID 4660 wrote to memory of 2900 4660 cmd.exe 85 PID 4660 wrote to memory of 3440 4660 cmd.exe 87 PID 4660 wrote to memory of 3440 4660 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bsod.bat"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\system32\takeown.exetakeown /f C:\users\2⤵
- Modifies file permissions
PID:3224
-
-
C:\Windows\system32\takeown.exetakeown /f C:\2⤵
- Modifies file permissions
PID:3368
-
-
C:\Windows\system32\takeown.exetakeown /f C:\windows\2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\system32\takeown.exetakeown /f C:\programdata\2⤵
- Modifies file permissions
PID:4036
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im dwm.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:900
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a1f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3700
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T1⤵
- Drops file in System32 directory
PID:4508