26f07e440dfd3b8b410fdd75ec04595b79c57e8be2a13c14dd746840ff33983c

Analysis

max time kernel
324s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToX_Free_Utility_v1.8.bat
Size

96KB
MD5

77833823ecd3754d0099e019f7e885d0
SHA1

e65494c444f7c42032372a09e1179c6f6950ae24
SHA256

26f07e440dfd3b8b410fdd75ec04595b79c57e8be2a13c14dd746840ff33983c
SHA512

52f951f9f253af8499538d810f53242f32c24c7f6b27d8ef76abf2c8c8b1c8e7d31e0b3a7c52ad70fdd1f41a54fa023b21fde7bea24942fa6bf61afb4dd95547
SSDEEP

768:SXQO3gNjy0y7PHYW9CyptHDXxRSyeVlEeOh/853gzI1vavQw8gsQmVHQQCHQVbOy:GQTgvptHriyd017wIUS

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
4896	timeout.exe
3404	timeout.exe
1652	timeout.exe
2712	timeout.exe
3000	timeout.exe
4888	timeout.exe
376	timeout.exe
1984	timeout.exe
2860	timeout.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5024	reg.exe
1888	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4752	4188	cmd.exe	85
PID 4188 wrote to memory of 4752	4188	cmd.exe	85
PID 4188 wrote to memory of 2300	4188	cmd.exe	86
PID 4188 wrote to memory of 2300	4188	cmd.exe	86
PID 4188 wrote to memory of 5024	4188	cmd.exe	87
PID 4188 wrote to memory of 5024	4188	cmd.exe	87
PID 4188 wrote to memory of 4164	4188	cmd.exe	88
PID 4188 wrote to memory of 4164	4188	cmd.exe	88
PID 4188 wrote to memory of 3056	4188	cmd.exe	89
PID 4188 wrote to memory of 3056	4188	cmd.exe	89
PID 4188 wrote to memory of 1888	4188	cmd.exe	91
PID 4188 wrote to memory of 1888	4188	cmd.exe	91
PID 4188 wrote to memory of 3088	4188	cmd.exe	92
PID 4188 wrote to memory of 3088	4188	cmd.exe	92
PID 4188 wrote to memory of 4024	4188	cmd.exe	93
PID 4188 wrote to memory of 4024	4188	cmd.exe	93
PID 4188 wrote to memory of 1852	4188	cmd.exe	103
PID 4188 wrote to memory of 1852	4188	cmd.exe	103
PID 4188 wrote to memory of 4656	4188	cmd.exe	104
PID 4188 wrote to memory of 4656	4188	cmd.exe	104
PID 4188 wrote to memory of 1128	4188	cmd.exe	106
PID 4188 wrote to memory of 1128	4188	cmd.exe	106
PID 4188 wrote to memory of 3000	4188	cmd.exe	107
PID 4188 wrote to memory of 3000	4188	cmd.exe	107
PID 4188 wrote to memory of 1932	4188	cmd.exe	108
PID 4188 wrote to memory of 1932	4188	cmd.exe	108
PID 4188 wrote to memory of 1408	4188	cmd.exe	109
PID 4188 wrote to memory of 1408	4188	cmd.exe	109
PID 4188 wrote to memory of 2480	4188	cmd.exe	110
PID 4188 wrote to memory of 2480	4188	cmd.exe	110
PID 4188 wrote to memory of 1596	4188	cmd.exe	111
PID 4188 wrote to memory of 1596	4188	cmd.exe	111
PID 4188 wrote to memory of 3224	4188	cmd.exe	112
PID 4188 wrote to memory of 3224	4188	cmd.exe	112
PID 4188 wrote to memory of 3500	4188	cmd.exe	113
PID 4188 wrote to memory of 3500	4188	cmd.exe	113
PID 4188 wrote to memory of 1660	4188	cmd.exe	114
PID 4188 wrote to memory of 1660	4188	cmd.exe	114
PID 4188 wrote to memory of 4548	4188	cmd.exe	115
PID 4188 wrote to memory of 4548	4188	cmd.exe	115
PID 4188 wrote to memory of 5044	4188	cmd.exe	116
PID 4188 wrote to memory of 5044	4188	cmd.exe	116
PID 4188 wrote to memory of 3460	4188	cmd.exe	117
PID 4188 wrote to memory of 3460	4188	cmd.exe	117
PID 4188 wrote to memory of 4904	4188	cmd.exe	118
PID 4188 wrote to memory of 4904	4188	cmd.exe	118
PID 4188 wrote to memory of 988	4188	cmd.exe	119
PID 4188 wrote to memory of 988	4188	cmd.exe	119
PID 4188 wrote to memory of 2440	4188	cmd.exe	120
PID 4188 wrote to memory of 2440	4188	cmd.exe	120
PID 4188 wrote to memory of 3432	4188	cmd.exe	121
PID 4188 wrote to memory of 3432	4188	cmd.exe	121
PID 4188 wrote to memory of 4200	4188	cmd.exe	122
PID 4188 wrote to memory of 4200	4188	cmd.exe	122
PID 4188 wrote to memory of 4828	4188	cmd.exe	123
PID 4188 wrote to memory of 4828	4188	cmd.exe	123
PID 4188 wrote to memory of 1064	4188	cmd.exe	124
PID 4188 wrote to memory of 1064	4188	cmd.exe	124
PID 4188 wrote to memory of 1584	4188	cmd.exe	125
PID 4188 wrote to memory of 1584	4188	cmd.exe	125
PID 4188 wrote to memory of 1604	4188	cmd.exe	126
PID 4188 wrote to memory of 1604	4188	cmd.exe	126
PID 4188 wrote to memory of 2796	4188	cmd.exe	127
PID 4188 wrote to memory of 2796	4188	cmd.exe	127

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ToX_Free_Utility_v1.8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4752
- C:\Windows\system32\mode.com
  MODE 75,23
  2⤵
  PID:2300
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM /F
  2⤵
  - Modifies registry key
  PID:5024
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do echo [95m"
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  Reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1888
- C:\Windows\system32\mode.com
  MODE 110,34
  2⤵
  PID:3088
- C:\Windows\system32\mode.com
  MODE 105,27
  2⤵
  PID:4024
- C:\Windows\system32\mode.com
  mode con: cols=138 lines=37
  2⤵
  PID:1852
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4656
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1128
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3000
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 00000005 /f
  2⤵
  PID:1932
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1596
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3224
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d "1" /f
  2⤵
  PID:1660
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
  2⤵
  PID:4548
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:3460
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
  2⤵
  PID:988
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowFrequent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "TelemetrySalt" /t REG_DWORD /d "0" /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d "1" /f
  2⤵
  PID:1584
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Discord" /t REG_BINARY /d "0300000066AF9C7C5A46D901" /f
  2⤵
  PID:1604
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Spotify" /t REG_BINARY /d "0300000070E93D7B5A46D901" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Steam" /t REG_BINARY /d "03000000E7766B83316FD901" /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d "0" /f
  2⤵
  PID:4484
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d "0" /f
  2⤵
  PID:4568
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1984
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d "2" /f
  2⤵
  PID:3532
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:4024
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4888
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "AllowFindMyDevice" /t REG_DWORD /d "0" /f
  2⤵
  PID:3304
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\FindMyDevice" /v "LocationSyncEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1820
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
  2⤵
  PID:3604
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
  2⤵
  PID:2096
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:3128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:1804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:1208
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:2416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:2172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableAutomaticRestartSignOn" /t REG_DWORD /d "1" /f
  2⤵
  PID:1160
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:1736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /
  2⤵
  PID:2352
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "FastSendDatagramThreshold" /t REG_DWORD /d "409600" /f
  2⤵
  PID:3092
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4896
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4652
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3404
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:376
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:1584
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 00000000 /f
  2⤵
  PID:3592
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1652
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:2004
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 00000001 /f
  2⤵
  PID:4752
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads