cbb8e43f93b7010614eed4a06ef1a1769e5b2344fcc5038ad82f9c454bffe3d7

Analysis

max time kernel
54s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19/08/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BaconInjector.bat
Size

416B
MD5

a8b7e74728e356778143b7db0af7881a
SHA1

eaf7bcb470777e2d24754a1b12fdeb778f2db941
SHA256

cbb8e43f93b7010614eed4a06ef1a1769e5b2344fcc5038ad82f9c454bffe3d7
SHA512

adef6b61136d08b3a7c93fcad5230ac38e5bf845988bed8811cb09e10065ca49790c997f5e078e6b532f9744cd81b07764ddc331ac060eac5b78948c65a5d20b

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShutdownAtStartup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shutdown.bat"	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1268	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3168	2656	cmd.exe	81
PID 2656 wrote to memory of 3168	2656	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BaconInjector.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ShutdownAtStartup" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\shutdown.bat" /f
  2⤵
  - Adds Run key to start application
  PID:3168

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
cd6829f53a60318a54648f4ff9d694c2

SHA1
eda672c23f219a9cdbe740079412f5fbe04a157d

SHA256
5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906

SHA512
25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\shutdown.bat

Filesize
34B

MD5
4cb624bdb6ff88ad229dce1a6ca53747

SHA1
c9e391f1dab7f9963264651cb6151258429ccbfa

SHA256
86ec434760ab82c20826ad82b0366d5aca6e0b3fd03495b00b8052739b391b32

SHA512
ddd59adeb8c65322b15272ad587ad726eecf806b2c2a019f72b8bdd9777c48090b4ab7cb9e7cd803d8b9727d6d35136129187adea30d1099a13321a8ec9a4671

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads