022e498fe973889e1c2ad0964f0a097a87feb14ceb314a5c19c7ff5d9c7ebb36

Analysis

max time kernel
96s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tweaks/1.bat
Size

253B
MD5

ce17bbdf67566edb48a72c10dc53aa19
SHA1

5463f627871b844a098871aa5dbe43ef9f39d09e
SHA256

9ee833b3b341ab2fbbc1b215c2613a3cb947aa5174122f69c87068c54d3b6f8a
SHA512

6c76ccb6b1bf9c40c62c50ab04fe053f7358496eafa0345f14dc0a5f2e29cf58a3f87e301efe876ba9d2ac9f3ca5471d7af991d3f4c7097fd1f55dc9976360da

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4304	bcdedit.exe
2584	bcdedit.exe
4624	bcdedit.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2708	takeown.exe
3112	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2708	takeown.exe
3112	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4512	powercfg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallPaper	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeTakeOwnershipPrivilege	2708	takeown.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4304	4992	cmd.exe	83
PID 4992 wrote to memory of 4304	4992	cmd.exe	83
PID 4992 wrote to memory of 2584	4992	cmd.exe	84
PID 4992 wrote to memory of 2584	4992	cmd.exe	84
PID 4992 wrote to memory of 4624	4992	cmd.exe	85
PID 4992 wrote to memory of 4624	4992	cmd.exe	85
PID 4992 wrote to memory of 4512	4992	cmd.exe	86
PID 4992 wrote to memory of 4512	4992	cmd.exe	86
PID 4992 wrote to memory of 4564	4992	cmd.exe	87
PID 4992 wrote to memory of 4564	4992	cmd.exe	87
PID 4992 wrote to memory of 2708	4992	cmd.exe	88
PID 4992 wrote to memory of 2708	4992	cmd.exe	88
PID 4992 wrote to memory of 3112	4992	cmd.exe	89
PID 4992 wrote to memory of 3112	4992	cmd.exe	89

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootuxdisabled yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4304
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2584
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4624
- C:\Windows\system32\powercfg.exe
  powercfg h off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\system32\reg.exe
  reg import 1.reg
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Modify Registry: Disable Windows Driver Blocklist
  - Sets desktop wallpaper using registry
  PID:4564
- C:\Windows\system32\takeown.exe
  takeown /F C:\Windows\System32\dbgeng.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3112