Analysis
-
max time kernel
74s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
bsod fix.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bsod fix.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
u237cgatAh2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
u237cgatAh2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
w11 fix.bat
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
w11 fix.bat
Resource
win10v2004-20240426-en
General
-
Target
bsod fix.bat
-
Size
415B
-
MD5
392f331dc1744fbe560a2a17d7ca838f
-
SHA1
817559945e137d036f47b26696d4fab5f22572c1
-
SHA256
318ae14fd3712848ed06c109d36a9df600964e1d827581f980c121d52a7b5df5
-
SHA512
0b1023402d8bf343cdee0e1e643209a65879dca4a7e22862b28ba08dea2d1a72ff651ab757ce32ad11add2aad61b44f36a64d1c754bdbe1ea740c44c2857c0dd
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2588 chrome.exe 2588 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2836 2732 cmd.exe 29 PID 2732 wrote to memory of 2836 2732 cmd.exe 29 PID 2732 wrote to memory of 2836 2732 cmd.exe 29 PID 2836 wrote to memory of 2900 2836 net.exe 30 PID 2836 wrote to memory of 2900 2836 net.exe 30 PID 2836 wrote to memory of 2900 2836 net.exe 30 PID 2732 wrote to memory of 2340 2732 cmd.exe 31 PID 2732 wrote to memory of 2340 2732 cmd.exe 31 PID 2732 wrote to memory of 2340 2732 cmd.exe 31 PID 2732 wrote to memory of 2776 2732 cmd.exe 32 PID 2732 wrote to memory of 2776 2732 cmd.exe 32 PID 2732 wrote to memory of 2776 2732 cmd.exe 32 PID 2588 wrote to memory of 2652 2588 chrome.exe 34 PID 2588 wrote to memory of 2652 2588 chrome.exe 34 PID 2588 wrote to memory of 2652 2588 chrome.exe 34 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2472 2588 chrome.exe 36 PID 2588 wrote to memory of 2508 2588 chrome.exe 37 PID 2588 wrote to memory of 2508 2588 chrome.exe 37 PID 2588 wrote to memory of 2508 2588 chrome.exe 37 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38 PID 2588 wrote to memory of 2872 2588 chrome.exe 38
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\bsod fix.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\net.exeNET SESSION2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 SESSION3⤵PID:2900
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 32⤵PID:2340
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 32⤵PID:2776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f09758,0x7fef5f09768,0x7fef5f097782⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:22⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:82⤵PID:2508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:82⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:12⤵PID:320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:12⤵PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2852 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:22⤵PID:2816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2884 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:12⤵PID:584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3048 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:82⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:82⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 --field-trial-handle=1392,i,13283824715300936717,12669083221894665618,131072 /prefetch:82⤵PID:1048
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:856
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
5KB
MD58f5dc29e1c42f9cf65430cab879672b4
SHA1cb57307aa40ad99aa8276cbf4a6316408f69946d
SHA25686cb192d2ab7afa547224cdc345ba7b18f22075db9034ca528f169c884d22dad
SHA512b6e26e63f8bf86a5811e5aa9f0486f96d3ec0cc7469287bfda8bfc76d95e3c9b063cf2af4442530f61ed33c3f08d180f746f37bf8f3841bbe30ddf12894f96df
-
Filesize
5KB
MD5e06d0a01e8e1ba4031a16a00a79bc761
SHA1df27adfc523fe8516929ad34d6289fe30bb92de3
SHA2565e2fd909d227fb53b3fc0e56a4c21e8416b1843c018222488051c01499036afd
SHA5129c1be373a66a3a2b1306f1582f295b0070b8b0da2fdd195a6adc9d4dd211d6b803f057f8e90d5681f762429e1026f342a36e3d511218a0730344b53b58dcf97b
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2