96b69ee3a4311d4fa35d608c4da17ace27243381bb26a3eb94994349d4416455 | Triage

Resubmissions

09/05/2024, 17:38

240509-v77l9seb6v 7

09/05/2024, 17:37

240509-v7crwshb89 7

Analysis

max time kernel
6s
max time network
7s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 17:38

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

Implant auto-shutdown into startup.bat
Size

691B
MD5

dec20e0634f78a5cb5e483960411b258
SHA1

fab719f331b9d7f210da1098c91443d4f763e9bc
SHA256

96b69ee3a4311d4fa35d608c4da17ace27243381bb26a3eb94994349d4416455
SHA512

de1cd08c6427e6152612ebfa3be6208cdfbd212fe1ae1bfe80221c3a8adad9297930aa0681986bf2cf768ac012426a4d2cd44f56b8ac3eae9437fb1282ae4b85

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shutdown.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shutdown.bat	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	shutdown.exe
Token: SeRemoteShutdownPrivilege	3036	shutdown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 3036	996	cmd.exe	29
PID 996 wrote to memory of 3036	996	cmd.exe	29
PID 996 wrote to memory of 3036	996	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Implant auto-shutdown into startup.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\shutdown.exe
  shutdown -r -f -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-3-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2624-4-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download