Overview

overview

8

Static

static

1

вин.bat

windows10-2004-x64

8

вин.bat

windows11-21h2-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/07/2024, 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    вин.bat

  • Size

    1KB

  • MD5

    c680bec28423eb77397704aab875640c

  • SHA1

    9ff1f6c4537e9d05a58220cb47793e71d4536959

  • SHA256

    3cc90a8d47b3ef8c3325e58c9f677c22d0a6a946c73012b5a02251fdaa297dd0

  • SHA512

    db5b8219f903a95d70276ed3de1eebd9ea1f438fb25600470f0c04436e13ad30ff64148ea871bbe95fad79ba803338d7a8337155c980fe6c36dbe710cd39ede4

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Modifies registry key 1 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\вин.bat"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\system32\msg.exe
      msg by File0
      2⤵
        PID:1064
      • C:\Windows\system32\taskkill.exe
        taskkill /im explorer.exe /f
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3260
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
        2⤵
        • Modifies registry key
        PID:1768
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
        2⤵
        • Adds Run key to start application
        PID:1260
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:3888
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        2⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:2908
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f
        2⤵
        • Modifies registry key
        PID:2900
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:4696
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:4204
      • C:\Windows\explorer.exe
        explorer
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1364
      • C:\Windows\system32\reg.exe
        reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
        2⤵
        • Modifies registry key
        PID:4268
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
        2⤵
        • Modifies registry key
        PID:1680
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
        2⤵
        • Modifies registry key
        PID:1120
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f
        2⤵
        • Modifies registry key
        PID:2732
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f
        2⤵
        • Modifies registry key
        PID:4164
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f
        2⤵
        • Modifies registry key
        PID:1644
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:640
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\N8R3S1CM\www.bing[1].xml
      Filesize

      17KB

      MD5

      54a239cc9641723237805d8d8692db3d

      SHA1

      fc0723aeb3c18c8cd2b8e2cef0af66a44f2fac2d

      SHA256

      88555a58892c60ce9079b786df7406d011e49e3512a52ddc7aa03d2f93c04306

      SHA512

      6c5e03ca9a54b99dc4f7fdf9da26f2afa1dcbc2d7cd1c66ff5f49964961a8261d99326c129ff198309691920ab90bb44bf5c9213cc32189fb17171699f8b47b0

      Download Submit

    • memory/1016-49-0x000002CC75F40000-0x000002CC76040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1016-65-0x000002CC770A0000-0x000002CC770C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1016-91-0x000002CC76840000-0x000002CC76860000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1016-90-0x000002CC77350000-0x000002CC77450000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1016-97-0x000002CC77170000-0x000002CC77190000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1016-119-0x000002CC78CF0000-0x000002CC78D10000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1016-193-0x000002CC7BE80000-0x000002CC7BF80000-memory.dmp

      Filesize

      1024KB

      Download