004ebfb1f70203c4fe174544c033337b4eeefafada35821b29aa7a370fdca107

Analysis

max time kernel
1559s
max time network
1560s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TskOff.bat
Size

245B
MD5

ee4cc5478663990041234bb5155a8eee
SHA1

f94d0d35a7a47514525a823b1d3559cbfae78e2f
SHA256

004ebfb1f70203c4fe174544c033337b4eeefafada35821b29aa7a370fdca107
SHA512

bfb61dd677383c240bf19ad86732fcd42cd2ca131a0dfa02f167061893256f3f1a05cc8bd880604338a164b0930a8f0f83d6945ecd2b11b7837fb610489d88f8

Score

8^/10

evasion execution

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
2632	powershell.exe
3008	powershell.exe
1348	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2816	reg.exe
2748	reg.exe
2784	reg.exe
2088	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
2632	powershell.exe
2632	powershell.exe
2632	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	powershell.exe
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: 33	1432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1432	AUDIODG.EXE
Token: 33	1432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1432	AUDIODG.EXE
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2260	2348	cmd.exe	29
PID 2348 wrote to memory of 2260	2348	cmd.exe	29
PID 2348 wrote to memory of 2260	2348	cmd.exe	29
PID 2260 wrote to memory of 2672	2260	powershell.exe	30
PID 2260 wrote to memory of 2672	2260	powershell.exe	30
PID 2260 wrote to memory of 2672	2260	powershell.exe	30
PID 2672 wrote to memory of 2748	2672	cmd.exe	32
PID 2672 wrote to memory of 2748	2672	cmd.exe	32
PID 2672 wrote to memory of 2748	2672	cmd.exe	32
PID 2668 wrote to memory of 2632	2668	cmd.exe	47
PID 2668 wrote to memory of 2632	2668	cmd.exe	47
PID 2668 wrote to memory of 2632	2668	cmd.exe	47
PID 2632 wrote to memory of 2796	2632	powershell.exe	48
PID 2632 wrote to memory of 2796	2632	powershell.exe	48
PID 2632 wrote to memory of 2796	2632	powershell.exe	48
PID 2796 wrote to memory of 2784	2796	cmd.exe	50
PID 2796 wrote to memory of 2784	2796	cmd.exe	50
PID 2796 wrote to memory of 2784	2796	cmd.exe	50
PID 2424 wrote to memory of 3008	2424	cmd.exe	53
PID 2424 wrote to memory of 3008	2424	cmd.exe	53
PID 2424 wrote to memory of 3008	2424	cmd.exe	53
PID 3008 wrote to memory of 2544	3008	powershell.exe	54
PID 3008 wrote to memory of 2544	3008	powershell.exe	54
PID 3008 wrote to memory of 2544	3008	powershell.exe	54
PID 2544 wrote to memory of 2088	2544	cmd.exe	56
PID 2544 wrote to memory of 2088	2544	cmd.exe	56
PID 2544 wrote to memory of 2088	2544	cmd.exe	56
PID 2116 wrote to memory of 1348	2116	cmd.exe	59
PID 2116 wrote to memory of 1348	2116	cmd.exe	59
PID 2116 wrote to memory of 1348	2116	cmd.exe	59
PID 1348 wrote to memory of 2628	1348	powershell.exe	60
PID 1348 wrote to memory of 2628	1348	powershell.exe	60
PID 1348 wrote to memory of 2628	1348	powershell.exe	60
PID 2628 wrote to memory of 2816	2628	cmd.exe	62
PID 2628 wrote to memory of 2816	2628	cmd.exe	62
PID 2628 wrote to memory of 2816	2628	cmd.exe	62

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TskOff.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\TskOff.bat' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TskOff.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2748

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
1⤵
PID:2196

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x198
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TskOff.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\TskOff.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TskOff.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2784

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TskOff.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\TskOff.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TskOff.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2088

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TskOff.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\TskOff.bat"' -ArgumentList 'am_admin'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TskOff.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FE1M18IP54E0DPIYYGL.temp

Filesize
7KB

MD5
7806585d3e0383c566ae8ab579b78650

SHA1
57c2c3662955b88461371f03096e05962b8ff871

SHA256
e238e9cb816367b58601725a9f318266a7bc9d47eea406f869592e986db2e298

SHA512
c12b20baa65933c54392536095b90f15f05c74597488060ab596532d4928f4d996b1624fa923269c4a307e78580786048289ae25bf1f2cac3913fcfb8a540eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c7dba18f136346aa243cbf08231c1fc2

SHA1
9e61faaf19bdc749c4cc8f9c5c9599a9cee3ed53

SHA256
f2d5d7a4411c6be202079f8c93be7dcd7eaea8b2a162226b98af05df9bec75c4

SHA512
6b79430cfd94bdb27d1b8cae034adb85793fc69ac5f62324d20f1693a405ac403d3b58f9f0a720f47a605bc86b1376735064782f0e8953e58a2d689879f58fbc

Download Submit
memory/2260-9-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-8-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-10-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-12-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-11-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-4-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2260-7-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2260-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2632-19-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2632-18-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3008-25-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/3008-26-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download