Overview

overview

10

Static

static

1

EXMPremiumTweaker.bat

windows7-x64

10

EXMPremiumTweaker.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXMPremiumTweaker.bat

  • Size

    669KB

  • MD5

    a907bfcab8903b37d8595377c3e268ed

  • SHA1

    e521540a3bffd5567d83782628b3de6173cb9364

  • SHA256

    12d8bccc8b4bf05902c0b015095db69b07dd859b577e9aa806201a082a8244ee

  • SHA512

    bb122cd94abfe6b43b2bd86852b37212b0d6096385bad85fea47d0aa3d80ada43c8e62735db1a5561c25ad9c23a4f8681933197dcf0495e1b182061181650905

  • SSDEEP

    3072:WDGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:WDGiVNEn14IZVvisL43

Score
10/10
evasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweaker.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\system32\reg.exe
      Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
      2⤵
        PID:1068
      • C:\Windows\system32\reg.exe
        Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
        2⤵
          PID:2368
        • C:\Windows\system32\reg.exe
          Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
          2⤵
            PID:2212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1300
          • C:\Windows\system32\reg.exe
            Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
            2⤵
            • UAC bypass
            PID:2628
          • C:\Windows\system32\reg.exe
            Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
            2⤵
              PID:2548
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic path Win32_UserAccount where name="Admin" get sid
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2468
              • C:\Windows\system32\findstr.exe
                findstr "S-"
                3⤵
                  PID:2652
              • C:\Windows\system32\chcp.com
                chcp 65001
                2⤵
                  PID:2604

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1300-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1300-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/1300-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1300-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1300-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1300-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1300-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1300-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

                Filesize

                9.6MB

                Download