a09b29748ae4797b934cd854ce01eefc4debe385e7e642e26e035dea7569ff90

Analysis

max time kernel
1698s
max time network
1179s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
16-05-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KernelOS-Modules/KernelOS22H2.bat
Size

63KB
MD5

32d7f72b68d881ed12300ca88b68cd54
SHA1

4e95abacf4a54720785e31a7c408609d3e3478be
SHA256

2b841784fbb8345e3bf40ab4950b60c7aee4633973ffea33f5325a0cb25da973
SHA512

a805b7373d823ea8c5cd33f69b71f759d9edf5dc0c38c53ac2dd0e1b9048bbfd243494e30e72fd5e399afaa6c389f6d3f5d7ac10501c1db8d4cc6ad665bc5047
SSDEEP

768:lTIyf6W5oGNbfrdAUY5eC9vOcbXmB9ofdfv3h8mox+QRv2WYV5FEvUr:hJi

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3012 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4516 timeout.exe
1228 timeout.exe
4024 timeout.exe
684 timeout.exe
3008 timeout.exe
3588 timeout.exe
1584 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1712 taskkill.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3012 powershell.exe
3012 powershell.exe
3012 powershell.exe
4280 powershell.exe
4280 powershell.exe

pid	process
3012	powershell.exe

pid	process
4516	timeout.exe
1228	timeout.exe
4024	timeout.exe
684	timeout.exe
3008	timeout.exe
3588	timeout.exe
1584	timeout.exe

pid	process
1712	taskkill.exe

pid	process
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
4280	powershell.exe
4280	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeShutdownPrivilege	1944	powercfg.exe
Token: SeCreatePagefilePrivilege	1944	powercfg.exe
Token: SeShutdownPrivilege	3736	powercfg.exe
Token: SeCreatePagefilePrivilege	3736	powercfg.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeCreatePagefilePrivilege	1916	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeCreatePagefilePrivilege	1580	powercfg.exe
Token: SeShutdownPrivilege	3564	powercfg.exe
Token: SeCreatePagefilePrivilege	3564	powercfg.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeDebugPrivilege	4280	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 4760	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 4760	5052	cmd.exe	cmd.exe
PID 4760 wrote to memory of 4924	4760	cmd.exe	chcp.com
PID 4760 wrote to memory of 4924	4760	cmd.exe	chcp.com
PID 5052 wrote to memory of 4880	5052	cmd.exe	chcp.com
PID 5052 wrote to memory of 4880	5052	cmd.exe	chcp.com
PID 5052 wrote to memory of 536	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 536	5052	cmd.exe	cmd.exe
PID 536 wrote to memory of 8	536	cmd.exe	mode.com
PID 536 wrote to memory of 8	536	cmd.exe	mode.com
PID 536 wrote to memory of 1712	536	cmd.exe	taskkill.exe
PID 536 wrote to memory of 1712	536	cmd.exe	taskkill.exe
PID 536 wrote to memory of 3012	536	cmd.exe	powershell.exe
PID 536 wrote to memory of 3012	536	cmd.exe	powershell.exe
PID 536 wrote to memory of 4024	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 4024	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 1944	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 1944	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 3736	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 3736	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 1916	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 1916	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 1580	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 1580	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 3564	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 3564	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 4320	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 4320	536	cmd.exe	powercfg.exe
PID 536 wrote to memory of 684	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 684	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 3008	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 3008	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 3588	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 3588	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 1584	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 1584	536	cmd.exe	timeout.exe
PID 536 wrote to memory of 4088	536	cmd.exe	reg.exe
PID 536 wrote to memory of 4088	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2516	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2516	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2384	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2384	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2700	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2700	536	cmd.exe	reg.exe
PID 536 wrote to memory of 4480	536	cmd.exe	reg.exe
PID 536 wrote to memory of 4480	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1592	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1592	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1928	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1928	536	cmd.exe	reg.exe
PID 536 wrote to memory of 3260	536	cmd.exe	reg.exe
PID 536 wrote to memory of 3260	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1172	536	cmd.exe	reg.exe
PID 536 wrote to memory of 1172	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2832	536	cmd.exe	reg.exe
PID 536 wrote to memory of 2832	536	cmd.exe	reg.exe
PID 536 wrote to memory of 4900	536	cmd.exe	reg.exe
PID 536 wrote to memory of 4900	536	cmd.exe	reg.exe
PID 536 wrote to memory of 5020	536	cmd.exe	reg.exe
PID 536 wrote to memory of 5020	536	cmd.exe	reg.exe
PID 536 wrote to memory of 3492	536	cmd.exe	reg.exe
PID 536 wrote to memory of 3492	536	cmd.exe	reg.exe
PID 536 wrote to memory of 740	536	cmd.exe	reg.exe
PID 536 wrote to memory of 740	536	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KernelOS-Modules\KernelOS22H2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\chcp.com
chcp
3⤵
PID:4924

C:\Windows\system32\chcp.com
chcp 708
2⤵
PID:4880

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS-Modules\KernelOS22H2.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\mode.com
mode con: cols=80 lines=20
3⤵
PID:8

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4024

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.1 IDLE ON.pow" 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\UltimatePerformance.pow" 01001011-0100-1111-0101-001188888883
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\powercfg.exe
powercfg /s 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\powercfg.exe
powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\powercfg.exe
powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\powercfg.exe
powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:684

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3008

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3588

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu" /v "ShowedStyle2" /t REG_DWORD /d "1" /f
3⤵
PID:4088

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "Version" /t REG_DWORD /d "67371168" /f
3⤵
PID:2516

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SkipMetro" /t REG_DWORD /d "1" /f
3⤵
PID:2384

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "StartScreenShortcut" /t REG_DWORD /d "0" /f
3⤵
PID:2700

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "InvertMetroIcons" /t REG_DWORD /d "0" /f
3⤵
PID:4480

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "MainMenuAnimation" /t REG_SZ /d "Slide" /f
3⤵
PID:1592

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "MainMenuAnimationSpeed" /t REG_DWORD /d "550" /f
3⤵
PID:1928

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SubMenuAnimation" /t REG_SZ /d "Slide" /f
3⤵
PID:3260

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SubMenuAnimationAlways" /t REG_DWORD /d "1" /f
3⤵
PID:1172

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "NumericSort" /t REG_DWORD /d "1" /f
3⤵
PID:2832

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "FontSmoothing" /t REG_SZ /d "Default" /f
3⤵
PID:4900

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "MenuShadow" /t REG_DWORD /d "0" /f
3⤵
PID:5020

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "EnableGlass" /t REG_DWORD /d "1" /f
3⤵
PID:3492

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "GlassOverride" /t REG_DWORD /d "1" /f
3⤵
PID:740

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "GlassColor" /t REG_DWORD /d "6908265" /f
3⤵
PID:1964

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "GlassOpacity" /t REG_DWORD /d "100" /f
3⤵
PID:1144

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SkinW7" /t REG_SZ /d "KernelOS" /f
3⤵
PID:4912

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SkinVariationW7" /t REG_SZ /d "" /f
3⤵
PID:4248

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "SkinOptionsW7" /t REG_MULTI_SZ /d "" /f
3⤵
PID:4964

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "CustomTaskbar" /t REG_DWORD /d "0" /f
3⤵
PID:4740

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "OpenMouseMonitor" /t REG_DWORD /d "0" /f
3⤵
PID:1204

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\SOFTWARE\OpenShell\StartMenu\Settings" /v "MenuItems7" /t REG_MULTI_SZ /d "Item1.Command=computer\0Item1.Settings=NOEXPAND\0Item2.Command=control_panel\0Item2.Settings=TRACK_RECENT\0Item3.Command=downloads\0Item3.Tip=$Menu.DownloadTip\0Item4.Command=C:\Windows\POST-INSTALL\0Item4.Label=POST-INSTALL\0Item4.Tip=$Menu.PrintersTip\0Item4.Icon=shell32.dll, 5\0Item5.Link=https://twitter.com/KernelPan1c5750\0Item5.Label=Twitter\0Item5.Tip=$Menu.PrintersTip\0Item5.Icon=%SystemDrive%\twitter.ico\0Item5.Settings=NOEXPAND\0Item6.Link=https://www.dsc.gg/kernelos\0Item6.Label=Discord KernelOS\0Item6.Icon=%SystemDrive%\discord.ico\0Item6.Settings=NOEXPAND" /f
3⤵
PID:5064

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4egos0de.2hl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3012-16-0x00000159615D0000-0x00000159615DA000-memory.dmp

Filesize
40KB

Download
memory/3012-8-0x00007FFE5D690000-0x00007FFE5E151000-memory.dmp

Filesize
10.8MB

Download
memory/3012-14-0x0000015961590000-0x00000159615A0000-memory.dmp

Filesize
64KB

Download
memory/3012-9-0x00007FFE5D690000-0x00007FFE5E151000-memory.dmp

Filesize
10.8MB

Download
memory/3012-15-0x00000159616B0000-0x00000159617B2000-memory.dmp

Filesize
1.0MB

Download
memory/3012-0-0x00007FFE5D693000-0x00007FFE5D695000-memory.dmp

Filesize
8KB

Download
memory/3012-19-0x00007FFE5D690000-0x00007FFE5E151000-memory.dmp

Filesize
10.8MB

Download
memory/3012-7-0x0000015961460000-0x0000015961482000-memory.dmp

Filesize
136KB

Download
memory/3012-1-0x0000015961B20000-0x0000015961BA2000-memory.dmp

Filesize
520KB

Download
memory/4280-31-0x0000024FB4BB0000-0x0000024FB4BC4000-memory.dmp

Filesize
80KB

Download
memory/4280-32-0x0000024FB6EF0000-0x0000024FB6F06000-memory.dmp

Filesize
88KB

Download
memory/4280-33-0x0000024FB4BA0000-0x0000024FB4BAA000-memory.dmp

Filesize
40KB

Download
memory/4280-34-0x0000024FB6F80000-0x0000024FB6FA6000-memory.dmp

Filesize
152KB

Download
memory/4280-35-0x0000024FB4BD0000-0x0000024FB4BD8000-memory.dmp

Filesize
32KB

Download