Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
bsod fix.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bsod fix.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
u237cgatAh2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
u237cgatAh2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
w11 fix.bat
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
w11 fix.bat
Resource
win10v2004-20240426-en
General
-
Target
w11 fix.bat
-
Size
507B
-
MD5
6fb44052dc5a85a097feeb91d7a81712
-
SHA1
29db33e6cf3286a6ba82af684ac535d42b43d257
-
SHA256
7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026
-
SHA512
ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2228 bcdedit.exe -
pid Process 2352 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2868 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2352 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2208 2364 cmd.exe 29 PID 2364 wrote to memory of 2208 2364 cmd.exe 29 PID 2364 wrote to memory of 2208 2364 cmd.exe 29 PID 2208 wrote to memory of 804 2208 net.exe 30 PID 2208 wrote to memory of 804 2208 net.exe 30 PID 2208 wrote to memory of 804 2208 net.exe 30 PID 2364 wrote to memory of 2228 2364 cmd.exe 31 PID 2364 wrote to memory of 2228 2364 cmd.exe 31 PID 2364 wrote to memory of 2228 2364 cmd.exe 31 PID 2364 wrote to memory of 2352 2364 cmd.exe 32 PID 2364 wrote to memory of 2352 2364 cmd.exe 32 PID 2364 wrote to memory of 2352 2364 cmd.exe 32 PID 2364 wrote to memory of 2868 2364 cmd.exe 33 PID 2364 wrote to memory of 2868 2364 cmd.exe 33 PID 2364 wrote to memory of 2868 2364 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\w11 fix.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:804
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off2⤵
- Modifies boot configuration data using bcdedit
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0000002⤵
- Modifies registry key
PID:2868
-