Overview
overview
10Static
static
10UnBan Guid...er.url
windows7-x64
1UnBan Guid...er.url
windows10-2004-x64
1UnBan Guid...or.lnk
windows7-x64
3UnBan Guid...or.lnk
windows10-2004-x64
7UnBan Guid...or.url
windows7-x64
1UnBan Guid...or.url
windows10-2004-x64
1UnBan Guid...Ds.cmd
windows7-x64
1UnBan Guid...Ds.cmd
windows10-2004-x64
1UnBan Guid...Ds.cmd
windows7-x64
1UnBan Guid...Ds.cmd
windows10-2004-x64
1UnBan Guid...RU.exe
windows7-x64
1UnBan Guid...RU.exe
windows10-2004-x64
1UnBan Guid...ll.exe
windows7-x64
1UnBan Guid...ll.exe
windows10-2004-x64
1UnBan Guid...rt.exe
windows7-x64
4UnBan Guid...rt.exe
windows10-2004-x64
5UnBan Guid...64.exe
windows7-x64
4UnBan Guid...64.exe
windows10-2004-x64
5UnBan Guid...E).bat
windows7-x64
10UnBan Guid...E).bat
windows10-2004-x64
8UnBan Guid...er.bat
windows7-x64
1UnBan Guid...er.bat
windows10-2004-x64
1UnBan Guid...64.exe
windows7-x64
1UnBan Guid...64.exe
windows10-2004-x64
1UnBan Guid...64.sys
windows7-x64
1UnBan Guid...64.sys
windows10-2004-x64
1UnBan Guid...er.bat
windows7-x64
5UnBan Guid...er.bat
windows10-2004-x64
UnBan Guid...ew.exe
windows7-x64
6UnBan Guid...ew.exe
windows10-2004-x64
6UnBan Guid...md.exe
windows7-x64
1UnBan Guid...md.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
UnBan Guide/step 1/Download Revo Uninstaller.url
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
UnBan Guide/step 1/Download Revo Uninstaller.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
UnBan Guide/step 2/Registry Editor.lnk
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
UnBan Guide/step 2/Registry Editor.lnk
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
UnBan Guide/step 2/guid generator.url
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
UnBan Guide/step 2/guid generator.url
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
UnBan Guide/step 3/Change Disk IDs.cmd
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral8
Sample
UnBan Guide/step 3/Change Disk IDs.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
UnBan Guide/step 4/Change HWIDs.cmd
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral10
Sample
UnBan Guide/step 4/Change HWIDs.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
UnBan Guide/step 5/CRU.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
UnBan Guide/step 5/CRU.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
UnBan Guide/step 5/ignore/reset-all.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
UnBan Guide/step 5/ignore/reset-all.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
UnBan Guide/step 5/ignore/restart.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
UnBan Guide/step 5/ignore/restart.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
UnBan Guide/step 5/ignore/restart64.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
UnBan Guide/step 5/ignore/restart64.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
UnBan Guide/step 6/1. Spoofer (RUN ME).bat
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
UnBan Guide/step 6/1. Spoofer (RUN ME).bat
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
UnBan Guide/step 6/2. SerialsChecker.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral22
Sample
UnBan Guide/step 6/2. SerialsChecker.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UnBan Guide/step 6/AMIDEWINx64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
UnBan Guide/step 6/AMIDEWINx64.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
UnBan Guide/step 6/AMIFLDRV64.sys
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
UnBan Guide/step 6/AMIFLDRV64.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
UnBan Guide/step 6/Cleaner.bat
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral28
Sample
UnBan Guide/step 6/Cleaner.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
UnBan Guide/step 6/DevManView.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
UnBan Guide/step 6/DevManView.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
UnBan Guide/step 6/DeviceCleanupCmd.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
UnBan Guide/step 6/DeviceCleanupCmd.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
UnBan Guide/step 5/ignore/restart.exe
-
Size
63KB
-
MD5
8242ce426ad462eff02edae1487a6949
-
SHA1
9a4f382d427e0de729053535aaa3310cac5f087b
-
SHA256
b68ee265308dc9da7dbb521bb71238d27ac50a5ee816f21c13818393be982d7a
-
SHA512
aff43a78d29ede49eac386d9b0b44d0f37d5a20bdda8553369d68dec90bbc727c6dd8fe239987a9d2e3affaeff8b72b5023ed973d7aecfbb99de46dca8c99ef1
-
SSDEEP
768:xa+/MMnf2XivrjhmxEQSQIjDaGva2XaT+CSxKUAch9Itvo7vq2XFelWn2iED5Vx0:xa0wstmSpDaGS2RCSxK28otXFQwUx
Malware Config
Signatures
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\setupact.log restart64.exe File opened for modification C:\Windows\setuperr.log restart64.exe File opened for modification C:\Windows\INF\setupapi.app.log restart64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 1896 restart64.exe Token: SeLoadDriverPrivilege 1896 restart64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1896 2392 restart.exe 28 PID 2392 wrote to memory of 1896 2392 restart.exe 28 PID 2392 wrote to memory of 1896 2392 restart.exe 28 PID 2392 wrote to memory of 1896 2392 restart.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 5\ignore\restart.exe"C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 5\ignore\restart.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 5\ignore\restart64.exerestart64.exe2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1896
-