Analysis
-
max time kernel
15s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 10:44
Static task
static1
Behavioral task
behavioral1
Sample
WinS/WinRing0x64.sys
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WinS/WinRing0x64.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
WinS/wd.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
WinS/wd.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
WinS/wmpnetwk.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
WinS/wmpnetwk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
WinS/xcopy.exe
Resource
win7-20241010-en
General
-
Target
WinS/wd.bat
-
Size
383B
-
MD5
479988fe0741ba53d6682562377fbee6
-
SHA1
b56e82fe314d82adbb8f50c1669eda87e4a6a7e1
-
SHA256
490c8ef0d7aa7daa4255ff0792e4ba8d5edad5e2f8ab032da1ac77019a207146
-
SHA512
5fe6e34f13cb63dc9ceee13546d02b2d0c024668a30d35047fa44791481e8845c9fa4e05da64f7b5724ed8ac8b15f4e48c6f7c14b4e93dea6d1e690bc9cde0c2
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2844 powershell.exe 1488 powershell.exe 2128 powershell.exe 2824 powershell.exe 3064 powershell.exe 2920 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2824 powershell.exe 3064 powershell.exe 2920 powershell.exe 2844 powershell.exe 1488 powershell.exe 2128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2824 2476 cmd.exe 31 PID 2476 wrote to memory of 2824 2476 cmd.exe 31 PID 2476 wrote to memory of 2824 2476 cmd.exe 31 PID 2476 wrote to memory of 3064 2476 cmd.exe 32 PID 2476 wrote to memory of 3064 2476 cmd.exe 32 PID 2476 wrote to memory of 3064 2476 cmd.exe 32 PID 2476 wrote to memory of 2920 2476 cmd.exe 33 PID 2476 wrote to memory of 2920 2476 cmd.exe 33 PID 2476 wrote to memory of 2920 2476 cmd.exe 33 PID 2476 wrote to memory of 2844 2476 cmd.exe 34 PID 2476 wrote to memory of 2844 2476 cmd.exe 34 PID 2476 wrote to memory of 2844 2476 cmd.exe 34 PID 2476 wrote to memory of 1488 2476 cmd.exe 35 PID 2476 wrote to memory of 1488 2476 cmd.exe 35 PID 2476 wrote to memory of 1488 2476 cmd.exe 35 PID 2476 wrote to memory of 2128 2476 cmd.exe 36 PID 2476 wrote to memory of 2128 2476 cmd.exe 36 PID 2476 wrote to memory of 2128 2476 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\WinS\wd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\WinS2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionExtension ".exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionExtension ".zip"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionExtension ".bat"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionExtension ".sys"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5630498e6fc5acf3dd937820ee729ca53
SHA17fac3e270fcd76055dba84f68d02132d94315d0f
SHA25645e5abf914c234adb64984f4b584728e328fe20a45f71d436dfec72aaae5045c
SHA512a7e0e03f0c610a84da9b575051b467f1df2202363634accfc6811e71db4c2b80547c8d951f089d27772ed8c862343f7fc99ad7cffcced7abd317ec85f845870c