4363158e608f707a649909d8df602e383c6e921781850cb7af5d4a53271b3c84

Analysis

max time kernel
10s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malzero/start.bat
Size

1KB
MD5

ebd649c1c4ac5438015b645f4635e75e
SHA1

a744a3d955ce5ce4645f41b09d0eeec0b0ce0b73
SHA256

baa690c9afef5f9c587f148ee31fe00d1a4ca450afbb7ab2f46943f51db9b3b4
SHA512

e8e50fa3348f72660ff36e98d7408a9f01c4632086dc7f0b09e90ebf7d47cbd9fd15b32ea1844ec1343f1e597f3697046b1a1b414e82732a750e4e01ccce70b4

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
4296	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
792	CMDBKG.EXE
792	CMDBKG.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2900	WMIC.exe
Token: SeSecurityPrivilege	2900	WMIC.exe
Token: SeTakeOwnershipPrivilege	2900	WMIC.exe
Token: SeLoadDriverPrivilege	2900	WMIC.exe
Token: SeSystemProfilePrivilege	2900	WMIC.exe
Token: SeSystemtimePrivilege	2900	WMIC.exe
Token: SeProfSingleProcessPrivilege	2900	WMIC.exe
Token: SeIncBasePriorityPrivilege	2900	WMIC.exe
Token: SeCreatePagefilePrivilege	2900	WMIC.exe
Token: SeBackupPrivilege	2900	WMIC.exe
Token: SeRestorePrivilege	2900	WMIC.exe
Token: SeShutdownPrivilege	2900	WMIC.exe
Token: SeDebugPrivilege	2900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2900	WMIC.exe
Token: SeRemoteShutdownPrivilege	2900	WMIC.exe
Token: SeUndockPrivilege	2900	WMIC.exe
Token: SeManageVolumePrivilege	2900	WMIC.exe
Token: 33	2900	WMIC.exe
Token: 34	2900	WMIC.exe
Token: 35	2900	WMIC.exe
Token: 36	2900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2900	WMIC.exe
Token: SeSecurityPrivilege	2900	WMIC.exe
Token: SeTakeOwnershipPrivilege	2900	WMIC.exe
Token: SeLoadDriverPrivilege	2900	WMIC.exe
Token: SeSystemProfilePrivilege	2900	WMIC.exe
Token: SeSystemtimePrivilege	2900	WMIC.exe
Token: SeProfSingleProcessPrivilege	2900	WMIC.exe
Token: SeIncBasePriorityPrivilege	2900	WMIC.exe
Token: SeCreatePagefilePrivilege	2900	WMIC.exe
Token: SeBackupPrivilege	2900	WMIC.exe
Token: SeRestorePrivilege	2900	WMIC.exe
Token: SeShutdownPrivilege	2900	WMIC.exe
Token: SeDebugPrivilege	2900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2900	WMIC.exe
Token: SeRemoteShutdownPrivilege	2900	WMIC.exe
Token: SeUndockPrivilege	2900	WMIC.exe
Token: SeManageVolumePrivilege	2900	WMIC.exe
Token: 33	2900	WMIC.exe
Token: 34	2900	WMIC.exe
Token: 35	2900	WMIC.exe
Token: 36	2900	WMIC.exe
Token: SeRestorePrivilege	1500	regtool.exe
Token: SeBackupPrivilege	1500	regtool.exe
Token: SeDebugPrivilege	1500	regtool.exe
Token: SeRestorePrivilege	3860	regtool.exe
Token: SeBackupPrivilege	3860	regtool.exe
Token: SeDebugPrivilege	3860	regtool.exe
Token: SeRestorePrivilege	4540	regtool.exe
Token: SeBackupPrivilege	4540	regtool.exe
Token: SeDebugPrivilege	4540	regtool.exe
Token: SeDebugPrivilege	4296	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3616	4928	cmd.exe	85
PID 4928 wrote to memory of 3616	4928	cmd.exe	85
PID 4928 wrote to memory of 3148	4928	cmd.exe	86
PID 4928 wrote to memory of 3148	4928	cmd.exe	86
PID 4928 wrote to memory of 2900	4928	cmd.exe	87
PID 4928 wrote to memory of 2900	4928	cmd.exe	87
PID 4928 wrote to memory of 3288	4928	cmd.exe	88
PID 4928 wrote to memory of 3288	4928	cmd.exe	88
PID 4928 wrote to memory of 4960	4928	cmd.exe	90
PID 4928 wrote to memory of 4960	4928	cmd.exe	90
PID 4928 wrote to memory of 2988	4928	cmd.exe	91
PID 4928 wrote to memory of 2988	4928	cmd.exe	91
PID 2988 wrote to memory of 1420	2988	cmd.exe	92
PID 2988 wrote to memory of 1420	2988	cmd.exe	92
PID 4928 wrote to memory of 2456	4928	cmd.exe	93
PID 4928 wrote to memory of 2456	4928	cmd.exe	93
PID 2456 wrote to memory of 5020	2456	cmd.exe	95
PID 2456 wrote to memory of 5020	2456	cmd.exe	95
PID 2456 wrote to memory of 3360	2456	cmd.exe	96
PID 2456 wrote to memory of 3360	2456	cmd.exe	96
PID 2456 wrote to memory of 3596	2456	cmd.exe	97
PID 2456 wrote to memory of 3596	2456	cmd.exe	97
PID 2456 wrote to memory of 4600	2456	cmd.exe	98
PID 2456 wrote to memory of 4600	2456	cmd.exe	98
PID 4600 wrote to memory of 1500	4600	cmd.exe	99
PID 4600 wrote to memory of 1500	4600	cmd.exe	99
PID 4600 wrote to memory of 1500	4600	cmd.exe	99
PID 2456 wrote to memory of 4164	2456	cmd.exe	100
PID 2456 wrote to memory of 4164	2456	cmd.exe	100
PID 4164 wrote to memory of 3860	4164	cmd.exe	101
PID 4164 wrote to memory of 3860	4164	cmd.exe	101
PID 4164 wrote to memory of 3860	4164	cmd.exe	101
PID 2456 wrote to memory of 3440	2456	cmd.exe	102
PID 2456 wrote to memory of 3440	2456	cmd.exe	102
PID 3440 wrote to memory of 4540	3440	cmd.exe	103
PID 3440 wrote to memory of 4540	3440	cmd.exe	103
PID 3440 wrote to memory of 4540	3440	cmd.exe	103
PID 2456 wrote to memory of 4708	2456	cmd.exe	104
PID 2456 wrote to memory of 4708	2456	cmd.exe	104
PID 2456 wrote to memory of 4708	2456	cmd.exe	104
PID 4708 wrote to memory of 792	4708	cmdbkg.exe	105
PID 4708 wrote to memory of 792	4708	cmdbkg.exe	105
PID 4708 wrote to memory of 792	4708	cmdbkg.exe	105
PID 2456 wrote to memory of 4944	2456	cmd.exe	106
PID 2456 wrote to memory of 4944	2456	cmd.exe	106
PID 4944 wrote to memory of 1680	4944	cmd.exe	107
PID 4944 wrote to memory of 1680	4944	cmd.exe	107
PID 4944 wrote to memory of 1680	4944	cmd.exe	107
PID 2456 wrote to memory of 4376	2456	cmd.exe	108
PID 2456 wrote to memory of 4376	2456	cmd.exe	108
PID 4376 wrote to memory of 116	4376	cmd.exe	109
PID 4376 wrote to memory of 116	4376	cmd.exe	109
PID 4376 wrote to memory of 116	4376	cmd.exe	109
PID 2456 wrote to memory of 1964	2456	cmd.exe	110
PID 2456 wrote to memory of 1964	2456	cmd.exe	110
PID 2456 wrote to memory of 4040	2456	cmd.exe	111
PID 2456 wrote to memory of 4040	2456	cmd.exe	111
PID 2456 wrote to memory of 3760	2456	cmd.exe	112
PID 2456 wrote to memory of 3760	2456	cmd.exe	112
PID 2456 wrote to memory of 3760	2456	cmd.exe	112
PID 2456 wrote to memory of 4296	2456	cmd.exe	113
PID 2456 wrote to memory of 4296	2456	cmd.exe	113
PID 2456 wrote to memory of 4296	2456	cmd.exe	113
PID 2456 wrote to memory of 428	2456	cmd.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
428	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\malzero\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\System32\reg.exe
  REG.EXE QUERY "HKCU\Console" -v QuickEdit
  2⤵
  PID:3616
- C:\Windows\System32\reg.exe
  REG.EXE IMPORT REPAIR\CMD_QUICKEDIT_DISABLE.REG
  2⤵
  PID:3148
- C:\Windows\System32\wbem\WMIC.exe
  WMIC.EXE OS GET CAPTION /VALUE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\find.exe
  FIND.EXE "Windows 11"
  2⤵
  PID:3288
- C:\Windows\System32\chcp.com
  CHCP.COM
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CHCP.COM 2>Nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\chcp.com
    CHCP.COM
    3⤵
    PID:1420
- C:\Windows\System32\cmd.exe
  CMD.EXE /D /C "#.BAT GLOBAL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\mode.com
    MODE.COM CON COLS=98 LINES=30
    3⤵
    PID:5020
- - C:\Windows\System32\reg.exe
    REG.EXE IMPORT REPAIR\CMD_QUICKEDIT_ENABLE.REG
    3⤵
    PID:3360
- - C:\Windows\System32\chcp.com
    CHCP.COM 949
    3⤵
    PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load" 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\REGTOOL\regtool.exe
      TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\REGTOOL\regtool.exe
      TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\REGTOOL\regtool.exe
      TOOLS\REGTOOL\REGTOOL.EXE -w -q get "\HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\CMDBKG\cmdbkg.exe
    TOOLS\CMDBKG\CMDBKG.EXE RESOURCE\BACKGROUND.PNG /C
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\CMDBKG\CMDBKG.EXE
      TOOLS\CMDBKG\CMDBKG.EXE RESOURCE\BACKGROUND.PNG /C
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TOOLS\DOFF\DOFF.EXE "yyyymmdd" -7 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\DOFF\doff.exe
      TOOLS\DOFF\DOFF.EXE "yyyymmdd" -7
      4⤵
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TOOLS\DOFF\DOFF.EXE "yyyymmdd" -10 2>Nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\DOFF\doff.exe
      TOOLS\DOFF\DOFF.EXE "yyyymmdd" -10
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO "C:\Users\Admin\AppData\Local\Temp\malzero\""
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\GREP\x64\grep.exe
    TOOLS\GREP\x64\GREP.EXE -Fi C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\CMDBKG\cmdbkg.exe
    TOOLS\CMDBKG\CMDBKG.EXE
    3⤵
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\malzero\TOOLS\TASKS\taskkill.exe
    TOOLS\TASKS\TASKKILL.EXE /F /IM "NOSLEEP.EXE"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\System32\attrib.exe
    ATTRIB.EXE -R -H -S "DB_EXEC\*" /S /D
    3⤵
    - Views/modifies file attributes
    PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CMDQUICKEDITDISABLE

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\malzero\variable\1198831629327211220413915151014280.v

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\malzero\variable\320124906243036712291262440018629.v

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/792-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1500-14-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/1500-17-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/1500-15-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/3760-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3860-18-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/3860-19-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/3860-20-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/4540-21-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/4540-22-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/4540-24-0x0000000061000000-0x00000000614E0000-memory.dmp

Filesize
4.9MB

Download
memory/4708-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download