ad28a59e2234cee44a0eee96aff1c7a71054a40734d289fe0d436e79247ad6d3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tweaks/1.bat
Size

253B
MD5

ce17bbdf67566edb48a72c10dc53aa19
SHA1

5463f627871b844a098871aa5dbe43ef9f39d09e
SHA256

9ee833b3b341ab2fbbc1b215c2613a3cb947aa5174122f69c87068c54d3b6f8a
SHA512

6c76ccb6b1bf9c40c62c50ab04fe053f7358496eafa0345f14dc0a5f2e29cf58a3f87e301efe876ba9d2ac9f3ca5471d7af991d3f4c7097fd1f55dc9976360da

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4180	bcdedit.exe
3968	bcdedit.exe
3676	bcdedit.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
724	takeown.exe
2712	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
724	takeown.exe
2712	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2260	powercfg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallPaper	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeCreatePagefilePrivilege	2260	powercfg.exe
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeCreatePagefilePrivilege	2260	powercfg.exe
Token: SeTakeOwnershipPrivilege	724	takeown.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4180	3516	cmd.exe	85
PID 3516 wrote to memory of 4180	3516	cmd.exe	85
PID 3516 wrote to memory of 3968	3516	cmd.exe	86
PID 3516 wrote to memory of 3968	3516	cmd.exe	86
PID 3516 wrote to memory of 3676	3516	cmd.exe	87
PID 3516 wrote to memory of 3676	3516	cmd.exe	87
PID 3516 wrote to memory of 2260	3516	cmd.exe	88
PID 3516 wrote to memory of 2260	3516	cmd.exe	88
PID 3516 wrote to memory of 4064	3516	cmd.exe	89
PID 3516 wrote to memory of 4064	3516	cmd.exe	89
PID 3516 wrote to memory of 724	3516	cmd.exe	90
PID 3516 wrote to memory of 724	3516	cmd.exe	90
PID 3516 wrote to memory of 2712	3516	cmd.exe	91
PID 3516 wrote to memory of 2712	3516	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootuxdisabled yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4180
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3968
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3676
- C:\Windows\system32\powercfg.exe
  powercfg h off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\system32\reg.exe
  reg import 1.reg
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Modify Registry: Disable Windows Driver Blocklist
  - Sets desktop wallpaper using registry
  PID:4064
- C:\Windows\system32\takeown.exe
  takeown /F C:\Windows\System32\dbgeng.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2712