Overview

overview

8

Static

static

1

Main.bat

windows7-x64

Main.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Main.bat

  • Size

    2KB

  • MD5

    3c44fcfe65fd38a69db7160bc6008d27

  • SHA1

    29864e7d3f54ab9353fe5b8a524777f1b984691c

  • SHA256

    31ce6dc019f37d3b34c7d99f945ea34ca9ad9e2f3006c2ed05c5a8d36989dc49

  • SHA512

    9a3236b6365090057a869f4d24cfd0808fae3d0ce7cdd3e0b7989fe121c4de92436ec8ceca5ef7d9d9eb1fb37776f94e879e5cf0ec5bcf11c1d9573480e6b115

Score
8/10
defense_evasionexecution

Malware Config

Signatures

  • Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

    Disable Windows Driver Blocklist via Registry.

    defense_evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Main.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2960
      • C:\Windows\system32\reg.exe
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v HypervisorEnforcedCodeIntegrity
        2⤵
          PID:5056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard' -Force; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard' -Name 'HypervisorEnforcedCodeIntegrity' -Value 0 -Type DWORD"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4988
        • C:\Windows\system32\reg.exe
          reg query "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable
          2⤵
            PID:1564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config' -Force; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config' -Name 'VulnerableDriverBlocklistEnable' -Value 0 -Type DWORD"
            2⤵
            • Modify Registry: Disable Windows Driver Blocklist
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          223bd4ae02766ddc32e6145fd1a29301

          SHA1

          900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

          SHA256

          1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

          SHA512

          648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          5161e9d6b9b677b7af6e5bb11a361b91

          SHA1

          9fe0a04c2bb86467b9aa584c78db4fc7eccfdd42

          SHA256

          addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0

          SHA512

          95b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjbrfgmn.oqd.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2356-17-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2356-24-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2356-29-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2356-31-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4988-0-0x00007FFC8CD43000-0x00007FFC8CD45000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4988-1-0x000001CDE24A0000-0x000001CDE24C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4988-11-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4988-12-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4988-15-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

          Filesize

          10.8MB

          Download