Overview
overview
9Static
static
3UB Downloa...ix.bat
windows7-x64
1UB Downloa...ix.bat
windows10-2004-x64
1UB Downloa...h2.exe
windows7-x64
5UB Downloa...h2.exe
windows10-2004-x64
5UB Downloa...ix.bat
windows7-x64
9UB Downloa...ix.bat
windows10-2004-x64
9UB Downloa...ix.bat
windows7-x64
1UB Downloa...ix.bat
windows10-2004-x64
1UB Downloa...b1.exe
windows7-x64
5UB Downloa...b1.exe
windows10-2004-x64
5UB Downloa...ix.bat
windows7-x64
9UB Downloa...ix.bat
windows10-2004-x64
9Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
UB Downloads/UB Silent/bsod fix.bat
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
UB Downloads/UB Silent/bsod fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
UB Downloads/UB Silent/u237cgatAh2.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
UB Downloads/UB Silent/u237cgatAh2.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
UB Downloads/UB Silent/w11 fix.bat
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
UB Downloads/UB Silent/w11 fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
UB Downloads/Unlock All/bsod fix.bat
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
UB Downloads/Unlock All/bsod fix.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
UB Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
UB Downloads/Unlock All/nRi28Wtqb1.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
UB Downloads/Unlock All/w11 fix.bat
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
UB Downloads/Unlock All/w11 fix.bat
Resource
win10v2004-20240709-en
General
-
Target
UB Downloads/UB Silent/w11 fix.bat
-
Size
507B
-
MD5
6fb44052dc5a85a097feeb91d7a81712
-
SHA1
29db33e6cf3286a6ba82af684ac535d42b43d257
-
SHA256
7ec1b31de3b0114c266df0b475c5c582a504c7c38f7127949df27f78a5d1c026
-
SHA512
ee9dbcc0a7340ec6fe968ba611f0849fd1b77b88cb5deaad4c6a516a417abaf14055021e949ca04fde979364f060504c911fede81b0c492b651ea1b3f246494a
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2440 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 2296 wrote to memory of 2332 2296 cmd.exe net.exe PID 2296 wrote to memory of 2332 2296 cmd.exe net.exe PID 2296 wrote to memory of 2332 2296 cmd.exe net.exe PID 2332 wrote to memory of 1368 2332 net.exe net1.exe PID 2332 wrote to memory of 1368 2332 net.exe net1.exe PID 2332 wrote to memory of 1368 2332 net.exe net1.exe PID 2296 wrote to memory of 548 2296 cmd.exe bcdedit.exe PID 2296 wrote to memory of 548 2296 cmd.exe bcdedit.exe PID 2296 wrote to memory of 548 2296 cmd.exe bcdedit.exe PID 2296 wrote to memory of 2440 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 2440 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 2440 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 2792 2296 cmd.exe reg.exe PID 2296 wrote to memory of 2792 2296 cmd.exe reg.exe PID 2296 wrote to memory of 2792 2296 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\UB Downloads\UB Silent\w11 fix.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:1368
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off2⤵
- Modifies boot configuration data using bcdedit
PID:548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0000002⤵
- Modifies registry key
PID:2792