Overview

overview

10

Static

static

3

Pack de Op...MD.url

windows7-x64

1

Pack de Op...MD.url

windows10-2004-x64

1

Pack de Op...MD.cmd

windows7-x64

1

Pack de Op...MD.cmd

windows10-2004-x64

1

Pack de Op...IA.url

windows7-x64

1

Pack de Op...IA.url

windows10-2004-x64

1

Pack de Op...MD.cmd

windows7-x64

1

Pack de Op...MD.cmd

windows10-2004-x64

1

Pack de Op...ia.cmd

windows7-x64

1

Pack de Op...ia.cmd

windows10-2004-x64

1

Pack de Op...or.exe

windows7-x64

1

Pack de Op...or.exe

windows10-2004-x64

1

Pack de Op...ld.cmd

windows7-x64

1

Pack de Op...ld.cmd

windows10-2004-x64

1

Pack de Op...ti.lnk

windows7-x64

1

Pack de Op...ti.lnk

windows10-2004-x64

7

Pack de Op...sd.cmd

windows7-x64

10

Pack de Op...sd.cmd

windows10-2004-x64

10

Pack de Op...V2.exe

windows7-x64

1

Pack de Op...V2.exe

windows10-2004-x64

1

Pack de Op...ll.bat

windows7-x64

7

Pack de Op...ll.bat

windows10-2004-x64

7

Pack de Op...64.exe

windows7-x64

7

Pack de Op...64.exe

windows10-2004-x64

7

Pack de Op...86.exe

windows7-x64

7

Pack de Op...86.exe

windows10-2004-x64

7

Pack de Op...64.exe

windows7-x64

7

Pack de Op...64.exe

windows10-2004-x64

7

Pack de Op...86.exe

windows7-x64

7

Pack de Op...86.exe

windows10-2004-x64

7

Pack de Op...64.exe

windows7-x64

7

Pack de Op...64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pack de Optimizacion by bask1ngg/13. mantencion de disco/ssd.cmd

  • Size

    1KB

  • MD5

    4066662cd910be7283ccc4963b762ac1

  • SHA1

    524ad1353b5d023c952b1207f0f2491e110124fc

  • SHA256

    b84710ed8dc571ceb955b83ca1a7475d7d77ef59ff2d8a073ed90199fc1fda08

  • SHA512

    dc7cb243600f30fa2a4a54701403a3ba5ce18f468fcc6f0ad9551690279bb1d1ac224346a91a82062f8a827a9a0bb2593fde0c2f493a9f36c2ad670ba91378b3

Score
10/10
evasionexecutionpersistence

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Power Settings 1 TTPs 2 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Pack de Optimizacion by bask1ngg\13. mantencion de disco\ssd.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5800
    • C:\Windows\system32\chcp.com
      chcp 65001
      2⤵
        PID:2452
      • C:\Windows\system32\Defrag.exe
        defrag C: /O /H
        2⤵
          PID:2300
        • C:\Windows\system32\powercfg.exe
          powercfg -duplicatescheme SCHEME_MIN
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:5420
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 0 /f
          2⤵
            PID:1240
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0 /f
            2⤵
              PID:2836
            • C:\Windows\system32\sc.exe
              sc config SysMain start= disabled
              2⤵
              • Launches sc.exe
              PID:5620
            • C:\Windows\system32\net.exe
              net stop SysMain
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5336
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop SysMain
                3⤵
                  PID:4544
              • C:\Windows\system32\fsutil.exe
                fsutil behavior set disabledeletenotify 0
                2⤵
                  PID:3748
                • C:\Windows\system32\powercfg.exe
                  powercfg -h off
                  2⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4316

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads