Analysis
-
max time kernel
46s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 08:10
Static task
static1
Behavioral task
behavioral1
Sample
bsod fix.bat
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
bsod fix.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
nRi28Wtqb1.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
nRi28Wtqb1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
w11 fix.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
w11 fix.bat
Resource
win10v2004-20240226-en
General
-
Target
w11 fix.bat
-
Size
507B
-
MD5
6fb44052dc5a85a097feeb91d7a81712
-
SHA1
29db33e6cf3286a6ba82af684ac535d42b43d257
-
SHA256
7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026
-
SHA512
ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1672 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 2192 wrote to memory of 2972 2192 cmd.exe net.exe PID 2192 wrote to memory of 2972 2192 cmd.exe net.exe PID 2192 wrote to memory of 2972 2192 cmd.exe net.exe PID 2972 wrote to memory of 2744 2972 net.exe net1.exe PID 2972 wrote to memory of 2744 2972 net.exe net1.exe PID 2972 wrote to memory of 2744 2972 net.exe net1.exe PID 2192 wrote to memory of 3040 2192 cmd.exe bcdedit.exe PID 2192 wrote to memory of 3040 2192 cmd.exe bcdedit.exe PID 2192 wrote to memory of 3040 2192 cmd.exe bcdedit.exe PID 2192 wrote to memory of 1672 2192 cmd.exe powershell.exe PID 2192 wrote to memory of 1672 2192 cmd.exe powershell.exe PID 2192 wrote to memory of 1672 2192 cmd.exe powershell.exe PID 2192 wrote to memory of 2544 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2544 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2544 2192 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\w11 fix.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:2744
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off2⤵
- Modifies boot configuration data using bcdedit
PID:3040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0000002⤵
- Modifies registry key
PID:2544