Overview

overview

9

Static

static

3

UB Downloa...ix.bat

windows7-x64

1

UB Downloa...ix.bat

windows10-2004-x64

1

UB Downloa...h2.exe

windows7-x64

5

UB Downloa...h2.exe

windows10-2004-x64

5

UB Downloa...ix.bat

windows7-x64

9

UB Downloa...ix.bat

windows10-2004-x64

9

UB Downloa...ix.bat

windows7-x64

1

UB Downloa...ix.bat

windows10-2004-x64

1

UB Downloa...b1.exe

windows7-x64

5

UB Downloa...b1.exe

windows10-2004-x64

5

UB Downloa...ix.bat

windows7-x64

9

UB Downloa...ix.bat

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UB Downloads/Unlock All/w11 fix.bat

  • Size

    507B

  • MD5

    6fb44052dc5a85a097feeb91d7a81712

  • SHA1

    29db33e6cf3286a6ba82af684ac535d42b43d257

  • SHA256

    7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026

  • SHA512

    ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a

Score
9/10
evasionexecutionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\UB Downloads\Unlock All\w11 fix.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2504
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set hypervisorlaunchtype off
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2944
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\system32\reg.exe
        reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x000000
        2⤵
        • Modifies registry key
        PID:2104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2952-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-5-0x000000001B650000-0x000000001B932000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2952-6-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2952-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2952-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2952-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2952-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

      Download