997c25a854bcf345ee3514a2a062a0d49daaf031d9315b840570d13e0fdc8c2a

Analysis

max time kernel
361s
max time network
366s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HoneCtrl (1).bat
Size

177KB
MD5

b1ee77ea41f9ee41793d18b06763aa25
SHA1

d372110f0c5880dfb545d7ed301ffaf331330831
SHA256

997c25a854bcf345ee3514a2a062a0d49daaf031d9315b840570d13e0fdc8c2a
SHA512

0da2149af99a1060cc3b75b8a952537f482df9f09e7ff8f0e54bf0c3018de8c24824e729f736729f6229e42790ad1505ff000d08181baa9db0a5d46b484592eb
SSDEEP

3072:9EcaeSeExbWLfVXxM4aNe1cKZCNP8R7RD19v6Y/MV9l9LO9uXPGW6EWu2dwOfimU:9EteSeExbWNZCNP8R7RD19vz6zjg+zhz

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2296	reg.exe
2072	reg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2320	2308	cmd.exe	32
PID 2308 wrote to memory of 2320	2308	cmd.exe	32
PID 2308 wrote to memory of 2320	2308	cmd.exe	32
PID 2308 wrote to memory of 2072	2308	cmd.exe	33
PID 2308 wrote to memory of 2072	2308	cmd.exe	33
PID 2308 wrote to memory of 2072	2308	cmd.exe	33
PID 2308 wrote to memory of 2360	2308	cmd.exe	34
PID 2308 wrote to memory of 2360	2308	cmd.exe	34
PID 2308 wrote to memory of 2360	2308	cmd.exe	34
PID 2308 wrote to memory of 1988	2308	cmd.exe	35
PID 2308 wrote to memory of 1988	2308	cmd.exe	35
PID 2308 wrote to memory of 1988	2308	cmd.exe	35
PID 2308 wrote to memory of 2296	2308	cmd.exe	36
PID 2308 wrote to memory of 2296	2308	cmd.exe	36
PID 2308 wrote to memory of 2296	2308	cmd.exe	36
PID 2308 wrote to memory of 2340	2308	cmd.exe	37
PID 2308 wrote to memory of 2340	2308	cmd.exe	37
PID 2308 wrote to memory of 2340	2308	cmd.exe	37
PID 2308 wrote to memory of 2080	2308	cmd.exe	38
PID 2308 wrote to memory of 2080	2308	cmd.exe	38
PID 2308 wrote to memory of 2080	2308	cmd.exe	38
PID 2308 wrote to memory of 2652	2308	cmd.exe	39
PID 2308 wrote to memory of 2652	2308	cmd.exe	39
PID 2308 wrote to memory of 2652	2308	cmd.exe	39
PID 2308 wrote to memory of 2964	2308	cmd.exe	40
PID 2308 wrote to memory of 2964	2308	cmd.exe	40
PID 2308 wrote to memory of 2964	2308	cmd.exe	40
PID 2308 wrote to memory of 1692	2308	cmd.exe	41
PID 2308 wrote to memory of 1692	2308	cmd.exe	41
PID 2308 wrote to memory of 1692	2308	cmd.exe	41
PID 2308 wrote to memory of 2664	2308	cmd.exe	42
PID 2308 wrote to memory of 2664	2308	cmd.exe	42
PID 2308 wrote to memory of 2664	2308	cmd.exe	42
PID 2308 wrote to memory of 1852	2308	cmd.exe	43
PID 2308 wrote to memory of 1852	2308	cmd.exe	43
PID 2308 wrote to memory of 1852	2308	cmd.exe	43
PID 2308 wrote to memory of 1284	2308	cmd.exe	44
PID 2308 wrote to memory of 1284	2308	cmd.exe	44
PID 2308 wrote to memory of 1284	2308	cmd.exe	44
PID 2308 wrote to memory of 2280	2308	cmd.exe	45
PID 2308 wrote to memory of 2280	2308	cmd.exe	45
PID 2308 wrote to memory of 2280	2308	cmd.exe	45
PID 2308 wrote to memory of 2700	2308	cmd.exe	46
PID 2308 wrote to memory of 2700	2308	cmd.exe	46
PID 2308 wrote to memory of 2700	2308	cmd.exe	46
PID 2308 wrote to memory of 2720	2308	cmd.exe	47
PID 2308 wrote to memory of 2720	2308	cmd.exe	47
PID 2308 wrote to memory of 2720	2308	cmd.exe	47

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HoneCtrl (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add HKLM /F
  2⤵
  - Modifies registry key
  PID:2072
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2296
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\HoneCTRL" /v "Disclaimer"
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\HoneCTRL" /v "Disclaimer" /f
  2⤵
  PID:2080
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2652
- C:\Windows\system32\mode.com
  Mode 65,16
  2⤵
  PID:2964
- C:\Windows\System32\choice.exe
  C:\Windows\System32\choice.exe /c:YN /n /m " >:"
  2⤵
  PID:1692
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c date /t
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg export HKCU C:\HoneCTRL\HoneCTRLRevert\07.15.2024\HKLM.reg /y
  2⤵
  PID:1284
- C:\Windows\system32\reg.exe
  reg export HKCU C:\HoneCTRL\HoneCTRLRevert\07.15.2024\HKCU.reg /y
  2⤵
  PID:2280
- C:\Windows\system32\mode.com
  Mode 130,45
  2⤵
  PID:2700
- C:\Windows\System32\choice.exe
  C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
  2⤵
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads