Analysis
-
max time kernel
150s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 20:51
General
-
Target
main.bat
-
Size
72KB
-
MD5
35e015a9bcce22c31ba0fb364830c788
-
SHA1
514cb5bbff59bb0c5aa92074cfa44ed061c3aafb
-
SHA256
f08cd592c887920888cb0a18e754231b756e6c285a50511c26f4826dd1581978
-
SHA512
ed48ecef95cd79b9f26de8523d1ae655310ad8b1684e9bbb24103943cb9fa919de826cf667d2f40d5b8cb9aeaef89aec8cdb86aeb957fe6037b4ee77b28a4668
-
SSDEEP
768:IposY9qsaIZz+QK7ruEDHs2guEDHsaOmh82mnUjQxOn1TS6QBQg+mispepU:ICsYOBm9mnUk01SBQg+miU
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Stops running service(s) 4 TTPs
-
Power Settings 1 TTPs 18 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 0x02⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 12⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive SCHEME_CURRENT2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 1002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\sc.exesc config "DiagTrack" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "SysMain" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "WSearch" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "Fax" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "TabletInputService" start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "DiagTrack"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "WSearch"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "Fax"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop "TabletInputService"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\fsutil.exefsutil behavior set DisableDeleteNotify 02⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"2⤵
-