4ac7811b1a99b6d5c4679a493c81ce32dda14ea9d14a5f0cbe677d046911502d

Analysis

max time kernel
128s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
06/07/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.bat
Size

29B
MD5

03e59106a692a466cf7eb6f3c2d21e8d
SHA1

434f628afc145600bfb6c43ac5567f491be150ee
SHA256

4ac7811b1a99b6d5c4679a493c81ce32dda14ea9d14a5f0cbe677d046911502d
SHA512

806fb23106b3e54aaa3b683702bb495da6a30660a6b1d72c4ab4b97e5e001a78bc463456242d876b8f01cd2d88f0a2f103197367809ea7b9bda02d2c474a251f

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2820	SystemSettingsAdminFlows.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\cbs_unattend.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs_unattend.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\SessionID.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\PBR\CBS	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs_intl.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setupinfo	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ResetConfig.ini	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\SessionID.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Timestamp.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG1	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\unattend.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.offline.20210605_121033.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\CBS\CBS.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\_s_3F8B.tmp	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\unattend.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\DISM\dism.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setup.exe	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\cbs_intl.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents1.dir	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setupinfo	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG2	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\Contents1.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_4132.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.offline.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setup.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_3DD5.tmp	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeTcbPrivilege	1628	svchost.exe
Token: SeRestorePrivilege	1628	svchost.exe
Token: SeTcbPrivilege	1628	svchost.exe
Token: SeRestorePrivilege	1628	svchost.exe
Token: SeTcbPrivilege	1628	svchost.exe
Token: SeRestorePrivilege	1628	svchost.exe
Token: SeBackupPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2820	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2820	SystemSettingsAdminFlows.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	SystemSettingsAdminFlows.exe
2820	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3236	1628	svchost.exe	97
PID 1628 wrote to memory of 3236	1628	svchost.exe	97
PID 1628 wrote to memory of 4100	1628	svchost.exe	98
PID 1628 wrote to memory of 4100	1628	svchost.exe	98
PID 1628 wrote to memory of 2476	1628	svchost.exe	103
PID 1628 wrote to memory of 2476	1628	svchost.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\start.bat"
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2860

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\dashost.exe
  dashost.exe {91f474b5-fd88-4bc9-bcfafdb575e2b35a}
  2⤵
  PID:3236
- C:\Windows\system32\dashost.exe
  dashost.exe {0ba51a64-299d-427c-96f0600f1c2629bd}
  2⤵
  PID:4100
- C:\Windows\system32\dashost.exe
  dashost.exe {9bac5d5e-362e-47ef-911e5884b9b343a0}
  2⤵
  PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:4264

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4704

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4780

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1212

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\Logs\setuperr.log

Filesize
974B

MD5
78960a93c64368e0e33a25bcc114d161

SHA1
696a8b254917c7c6f655155820fb3077619a5a6b

SHA256
411e8cb85b37c51ba13aa574c45ba28c68374daab03ac97a4fa30f3febe5ec97

SHA512
a53cfe4940b314a936765077b6545592320ad67bf02bede2480c2baf55bf6e577e523d64e9e9fc53fd69333038d9628cefae7ed24bc958e8f3d0cfd461e1bae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BE92D0DB-AC41-4C23-A690-098624944220}\ssshim.dll

Filesize
148KB

MD5
3de653713e705e001c3f0be1efc51ed3

SHA1
63565592c266226d36604933e51725e90010da25

SHA256
c78ebef77e03135b3cea0705d4c259d782ed80746faea4e9f4a851e494fa94f9

SHA512
7db1063fa2a7c0bcf394d7a20984ab1b501cb24fae5e801addace77424ba773c948a87d8c3fb38f06366b1478f70ba0278c48f219d224ff6e904ff2ee161fb4e

Download Submit
C:\Windows\Logs\PBR\ResetConfig.ini

Filesize
167B

MD5
e8b67f9f170a171d59b1020f686f09ce

SHA1
19428a2ab0e7f64ceaf7cdc723916a9f6ebf26bd

SHA256
e88065016cfd248d4d0f5199becb3d9233a4d96bcb60fa5a7c2724c2cc71ac1d

SHA512
8616c3065e84f11acd8cbe57e3dc06fab843787ccccec062ec873ba7e97eeb6008cb61b2e35a71bbbdd61be800ad96af6a0dbbbcca42992ed2a5ee0681e156a8

Download Submit
C:\Windows\Logs\PBR\SessionID.xml

Filesize
106B

MD5
01b624d32168d15809771e299f3481f9

SHA1
911bedb5d058be3686cdd13021e3e78a10adaa8e

SHA256
f3e9a6c160c1f85db65bc76dbe24d9f99ef81ed47f69982b8edcd067afbe8227

SHA512
f929ee360222e40474981e459d41f3fd8c83824518706f23eb8ecf32a7717d66153fd102da4dd0fef345bb0b9f826722d3bee33ce28a34f17bcd12f54cec79d5

Download Submit
C:\Windows\Logs\PBR\Timestamp.xml

Filesize
42B

MD5
635f4defd4d7d0b8fe158b526ee0c1ef

SHA1
8f52770cb38692407661d0a756239900a0891766

SHA256
66f791ad91b17fa4e64a0d523e87306de82fb1c8423bcbdf9b4c0a1f41c1c2f6

SHA512
12152c930eb2b90d75bee49114206d348cbce17bd480b2656e091b80c9906b7239007e5367e360e235dfbf11fe696c4fb8a75c06a8247678f5abf475dc68448e

Download Submit
C:\Windows\Logs\PBR\setupact.log

Filesize
109KB

MD5
5df9101cf72a52f2303f35adde00889c

SHA1
d559b66be5c30ccd59a4f5d4acbb3e16a362b806

SHA256
197eaa111c9083486facd62c3ea0e85ecf7e2559dade9c7a84030050b4b970d2

SHA512
3d7e83ad2de1e98fbe692f2d0bf3c0cafe92bdfe8484084b59b77f873a91e8eda08536f64d6b39b9a705e20218fd58d71f65f32830062816ecc00a53b87fc2b4

Download Submit
memory/2820-23-0x0000020298AB0000-0x0000020298CD1000-memory.dmp

Filesize
2.1MB

Download
memory/2820-225-0x0000020298AB0000-0x0000020298CD1000-memory.dmp

Filesize
2.1MB

Download
memory/3236-0-0x0000018D85200000-0x0000018D854CD000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads