a40e6dbd957018800aae4c57a69d1ca764ccabe4d74a1ee4d97b4044491fb19e

Analysis

max time kernel
149s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDOS TROLL MENU.bat
Size

6KB
MD5

909c172d180fbd484347a58f22a9f3c6
SHA1

531bb25f9fe4840175e3cede5e8c043e908a1427
SHA256

a40e6dbd957018800aae4c57a69d1ca764ccabe4d74a1ee4d97b4044491fb19e
SHA512

d569c8df0b2853eef1605f25f41e1b35510e04bfc0f755061f69d1dbe82bc10e473f3eb6aff5e7db0e86dac54eef4e59f32a51a9fc19da69543b6e6e1c7f7e08
SSDEEP

24:v2a3zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzd:v2OCZ0jBIZ0jBIZ0jBIZ0jB8+

Score

1^/10

Malware Config

Signatures

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
872	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4716	NOTEPAD.EXE
4716	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1028	1548	cmd.exe	85
PID 1548 wrote to memory of 1028	1548	cmd.exe	85
PID 1548 wrote to memory of 2192	1548	cmd.exe	86
PID 1548 wrote to memory of 2192	1548	cmd.exe	86
PID 5036 wrote to memory of 4332	5036	cmd.exe	114
PID 5036 wrote to memory of 4332	5036	cmd.exe	114
PID 3980 wrote to memory of 4024	3980	cmd.exe	126
PID 3980 wrote to memory of 4024	3980	cmd.exe	126
PID 2904 wrote to memory of 760	2904	cmd.exe	135
PID 2904 wrote to memory of 760	2904	cmd.exe	135
PID 2904 wrote to memory of 3596	2904	cmd.exe	137
PID 2904 wrote to memory of 3596	2904	cmd.exe	137

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DDOS TROLL MENU.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:940

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\new .bat
1⤵
- Suspicious use of FindShellTrayWindow
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\new .bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\new .bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4024

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\new .bat
1⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\new .bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\new .bat

Filesize
38B

MD5
c6129b34212b2f4cce2e47cc1f0e1655

SHA1
dc71c77ca66664eed6d1338bbd64be9d10782d69

SHA256
b2798b9792a7ff10c167ca5652ae536bac7cf35ec4a16e0d47f66202c825822a

SHA512
abc7f082b63fbc4ae964af29a8c304e7dbdabd50f60a59fb3c26b49c1ed8eadff9d882acff7793d5df338ef967b8c69f71e4803c611e62686add3f64754931ba

Download Submit
C:\Users\Admin\Desktop\new .bat

Filesize
53B

MD5
b426a42ebc868eb60fbebe0a9fc46bf2

SHA1
7c7474b5dd70541b9f8eaae43665be9e79a943fa

SHA256
61ba302846d2a0cfdfbf170835fb1dbffb987f61c0254f82f6395b267d09f882

SHA512
757b82ec783636c1095ae731bd588b0dcdf285cd5a57b2aaf048cb4dbf32758c818d94e1cf156245d3cb452a54497700cecb5b06dfc8cadcd363a568ccff393c

Download Submit
C:\Users\Admin\Desktop\new .bat

Filesize
60B

MD5
7e009582c4946a2d04b0db1d9dbb900d

SHA1
6ba0dcb788caf9a65284b4311945df448f9774f3

SHA256
850dbc1706aa7a6023bb81d0e6772696e23b5415fa976693c07be05786d2e58e

SHA512
36e3e6b53634bf9f697c27185dfc0961038a9f656ab9108cf395f83fa654f44f599c69441b274a0b863f9d3ba783e53e5b7e993667230dd3c2f200cd1393d9b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads