98bf4fd955c7d7abe3dd5e84acffea2731734aaf451b1b988c7a36bebdfb9071

Analysis

max time kernel
7s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/10/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Brutality.cc.bat
Size

280B
MD5

72bf43029cd70ed9653c7863c4f65a0d
SHA1

0dd94fc5de41d8a5ddb717942d65b75ec796ee11
SHA256

98bf4fd955c7d7abe3dd5e84acffea2731734aaf451b1b988c7a36bebdfb9071
SHA512

bd7190af5c075fbe03355f8ea720644afa60d9774d753c6a5ef274a0bbc8f1203723737b986be1170d67cec62b21afa07b0ab9a3390aaac8a2eb8c24d517a19f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1176	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4888	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 4260	3148	cmd.exe	79
PID 3148 wrote to memory of 4260	3148	cmd.exe	79
PID 3148 wrote to memory of 1176	3148	cmd.exe	80
PID 3148 wrote to memory of 1176	3148	cmd.exe	80

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Brutality.cc.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\system32\shutdown.exe
  shutdown -a -t 60 -c "Brutality Is restarting you computer pls wait"
  2⤵
  PID:4260
- C:\Windows\system32\taskkill.exe
  taskkill /f /pid explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads