Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
FluxTweakingTool.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FluxTweakingTool.bat
Resource
win10v2004-20241007-en
General
-
Target
FluxTweakingTool.bat
-
Size
44KB
-
MD5
bf13135aeb51a50a0400db422fd7daa9
-
SHA1
5ef6d801e7b97128fcce8dcafa8aeb81d64fc2db
-
SHA256
5f02f68d5187cc53317a1139dfa2a5824e5eee2e7517a3b58cff82062086bd8f
-
SHA512
6367b7ec2fbae156c6061b3c2fe2781b60011f59b06aec3f465da15b57d0f5c1ad68e332e2c9572446b348232ad252ef9096219f1037fe92a31411497fc467e5
-
SSDEEP
384:mut4C7QIEkKx3mmoYHYWLNmGr1tslFvnnWNyMnerjo+Cozvy4UD+jjGs2pt3JNur:mut4C7QIXmoYHYWLNmGNPxO
Malware Config
Signatures
-
pid Process 2692 powershell.exe 2784 powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2112 powershell.exe 2784 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2692 powershell.exe 2692 powershell.exe 2784 powershell.exe 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2692 2016 cmd.exe 31 PID 2016 wrote to memory of 2692 2016 cmd.exe 31 PID 2016 wrote to memory of 2692 2016 cmd.exe 31 PID 2016 wrote to memory of 2784 2016 cmd.exe 32 PID 2016 wrote to memory of 2784 2016 cmd.exe 32 PID 2016 wrote to memory of 2784 2016 cmd.exe 32 PID 2016 wrote to memory of 2112 2016 cmd.exe 33 PID 2016 wrote to memory of 2112 2016 cmd.exe 33 PID 2016 wrote to memory of 2112 2016 cmd.exe 33 PID 2016 wrote to memory of 2584 2016 cmd.exe 34 PID 2016 wrote to memory of 2584 2016 cmd.exe 34 PID 2016 wrote to memory of 2584 2016 cmd.exe 34 PID 2016 wrote to memory of 2616 2016 cmd.exe 35 PID 2016 wrote to memory of 2616 2016 cmd.exe 35 PID 2016 wrote to memory of 2616 2016 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FluxTweakingTool.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL Disable-MMAgent -MemoryCompression -ApplicationPreLaunch -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2584
-
-
C:\Windows\system32\mode.commode con cols=80 lines=252⤵PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD554e1df083bf5ef2f93177cfd7252179f
SHA1006f32065a6689fdde94dceec2c942cb3df9865c
SHA2563b609eb4b20367d5abfed0630c4a16f032ffb626f29b91e2becd68930cf9a050
SHA5123ece9b348a36db8b0475c18664143191fd4ba588783f825aa3746cfc6ebdfdc7f9577b1947e07b45dd475e7b38cb3f80914300fe1c45e4d0bfd047ff7bca8003