Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
FluxTweakingTool.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FluxTweakingTool.bat
Resource
win10v2004-20241007-en
General
-
Target
FluxTweakingTool.bat
-
Size
44KB
-
MD5
bf13135aeb51a50a0400db422fd7daa9
-
SHA1
5ef6d801e7b97128fcce8dcafa8aeb81d64fc2db
-
SHA256
5f02f68d5187cc53317a1139dfa2a5824e5eee2e7517a3b58cff82062086bd8f
-
SHA512
6367b7ec2fbae156c6061b3c2fe2781b60011f59b06aec3f465da15b57d0f5c1ad68e332e2c9572446b348232ad252ef9096219f1037fe92a31411497fc467e5
-
SSDEEP
384:mut4C7QIEkKx3mmoYHYWLNmGr1tslFvnnWNyMnerjo+Cozvy4UD+jjGs2pt3JNur:mut4C7QIXmoYHYWLNmGNPxO
Malware Config
Signatures
-
pid Process 1404 powershell.exe 2532 powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2532 powershell.exe 3460 powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1404 powershell.exe 1404 powershell.exe 1404 powershell.exe 2532 powershell.exe 2532 powershell.exe 3460 powershell.exe 3460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeIncreaseQuotaPrivilege 3460 powershell.exe Token: SeSecurityPrivilege 3460 powershell.exe Token: SeTakeOwnershipPrivilege 3460 powershell.exe Token: SeLoadDriverPrivilege 3460 powershell.exe Token: SeSystemProfilePrivilege 3460 powershell.exe Token: SeSystemtimePrivilege 3460 powershell.exe Token: SeProfSingleProcessPrivilege 3460 powershell.exe Token: SeIncBasePriorityPrivilege 3460 powershell.exe Token: SeCreatePagefilePrivilege 3460 powershell.exe Token: SeBackupPrivilege 3460 powershell.exe Token: SeRestorePrivilege 3460 powershell.exe Token: SeShutdownPrivilege 3460 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeSystemEnvironmentPrivilege 3460 powershell.exe Token: SeRemoteShutdownPrivilege 3460 powershell.exe Token: SeUndockPrivilege 3460 powershell.exe Token: SeManageVolumePrivilege 3460 powershell.exe Token: 33 3460 powershell.exe Token: 34 3460 powershell.exe Token: 35 3460 powershell.exe Token: 36 3460 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 212 wrote to memory of 1404 212 cmd.exe 85 PID 212 wrote to memory of 1404 212 cmd.exe 85 PID 212 wrote to memory of 2532 212 cmd.exe 86 PID 212 wrote to memory of 2532 212 cmd.exe 86 PID 212 wrote to memory of 3460 212 cmd.exe 90 PID 212 wrote to memory of 3460 212 cmd.exe 90 PID 212 wrote to memory of 2172 212 cmd.exe 94 PID 212 wrote to memory of 2172 212 cmd.exe 94 PID 212 wrote to memory of 2848 212 cmd.exe 95 PID 212 wrote to memory of 2848 212 cmd.exe 95
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FluxTweakingTool.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL Disable-MMAgent -MemoryCompression -ApplicationPreLaunch -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2172
-
-
C:\Windows\system32\mode.commode con cols=80 lines=252⤵PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
1KB
MD5e48d8ce6068b109aa2440817fb0b0718
SHA1059d5f005ba924b3abef386efa88f7679ee77dbc
SHA25686adf42305130d1f808681cb2a91d075ece16196121f26a6ebd8188dd90e1897
SHA512ee1bf5e98ba7425fd4444a4aa50006b5b4152f545a1895eedd21309694f957f0270bedf5c8a2dd74ba9b4efbd6071020afea42ba563f720c427d87a4ef6900a3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82