Analysis
-
max time kernel
92s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/10/2024, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
Koa_Paid_Tweak_Tool.bat
Resource
win11-20241007-en
General
-
Target
Koa_Paid_Tweak_Tool.bat
-
Size
87KB
-
MD5
2523b7ade7ef2ab0364cf7af2480780b
-
SHA1
f0a796bbe87cbedb2422f1a30ed679910b16eec8
-
SHA256
fb97d6ec1b1de59c4f02b55c8f95e756a13f9119f4bd08e77e832890ae529317
-
SHA512
3cef3cd7f42f3950ae5d683762747cbc8fbbeba37d8e761e2dffb6ac2469db992023407ed8dd62f2f4bcdc3be91c3de03b8af834a93e423651f1c3548cd9fe3a
-
SSDEEP
384:0jW4urpgB0TBp1uFuyIBmGlngbuPPqoeV9WIblw8WGDyLNZfKGDyLNZfU9a1QL:n80TBWQyEjPqoC9yiU0QL
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
pid Process 2076 powershell.exe 5068 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 3508 timeout.exe 2352 timeout.exe 3120 timeout.exe 1448 timeout.exe 3640 timeout.exe 2144 timeout.exe 1684 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2076 powershell.exe 2076 powershell.exe 5068 powershell.exe 5068 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4428 SystemPropertiesPerformance.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeBackupPrivilege 3804 vssvc.exe Token: SeRestorePrivilege 3804 vssvc.exe Token: SeAuditPrivilege 3804 vssvc.exe Token: SeBackupPrivilege 1344 srtasks.exe Token: SeRestorePrivilege 1344 srtasks.exe Token: SeSecurityPrivilege 1344 srtasks.exe Token: SeTakeOwnershipPrivilege 1344 srtasks.exe Token: SeBackupPrivilege 1344 srtasks.exe Token: SeRestorePrivilege 1344 srtasks.exe Token: SeSecurityPrivilege 1344 srtasks.exe Token: SeTakeOwnershipPrivilege 1344 srtasks.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2172 wrote to memory of 3808 2172 cmd.exe 81 PID 2172 wrote to memory of 3808 2172 cmd.exe 81 PID 2172 wrote to memory of 3096 2172 cmd.exe 82 PID 2172 wrote to memory of 3096 2172 cmd.exe 82 PID 2172 wrote to memory of 2080 2172 cmd.exe 83 PID 2172 wrote to memory of 2080 2172 cmd.exe 83 PID 2172 wrote to memory of 3856 2172 cmd.exe 84 PID 2172 wrote to memory of 3856 2172 cmd.exe 84 PID 2172 wrote to memory of 1732 2172 cmd.exe 85 PID 2172 wrote to memory of 1732 2172 cmd.exe 85 PID 2172 wrote to memory of 2076 2172 cmd.exe 86 PID 2172 wrote to memory of 2076 2172 cmd.exe 86 PID 2172 wrote to memory of 5068 2172 cmd.exe 90 PID 2172 wrote to memory of 5068 2172 cmd.exe 90 PID 2172 wrote to memory of 364 2172 cmd.exe 96 PID 2172 wrote to memory of 364 2172 cmd.exe 96 PID 2172 wrote to memory of 3244 2172 cmd.exe 97 PID 2172 wrote to memory of 3244 2172 cmd.exe 97 PID 2172 wrote to memory of 1844 2172 cmd.exe 104 PID 2172 wrote to memory of 1844 2172 cmd.exe 104 PID 2172 wrote to memory of 3508 2172 cmd.exe 105 PID 2172 wrote to memory of 3508 2172 cmd.exe 105 PID 2172 wrote to memory of 2988 2172 cmd.exe 106 PID 2172 wrote to memory of 2988 2172 cmd.exe 106 PID 2172 wrote to memory of 2352 2172 cmd.exe 107 PID 2172 wrote to memory of 2352 2172 cmd.exe 107 PID 2172 wrote to memory of 1964 2172 cmd.exe 108 PID 2172 wrote to memory of 1964 2172 cmd.exe 108 PID 2172 wrote to memory of 3120 2172 cmd.exe 109 PID 2172 wrote to memory of 3120 2172 cmd.exe 109 PID 2172 wrote to memory of 4724 2172 cmd.exe 110 PID 2172 wrote to memory of 4724 2172 cmd.exe 110 PID 2172 wrote to memory of 1636 2172 cmd.exe 111 PID 2172 wrote to memory of 1636 2172 cmd.exe 111 PID 2172 wrote to memory of 4532 2172 cmd.exe 112 PID 2172 wrote to memory of 4532 2172 cmd.exe 112 PID 2172 wrote to memory of 3088 2172 cmd.exe 113 PID 2172 wrote to memory of 3088 2172 cmd.exe 113 PID 2172 wrote to memory of 1448 2172 cmd.exe 114 PID 2172 wrote to memory of 1448 2172 cmd.exe 114 PID 2172 wrote to memory of 2296 2172 cmd.exe 115 PID 2172 wrote to memory of 2296 2172 cmd.exe 115 PID 2172 wrote to memory of 3640 2172 cmd.exe 116 PID 2172 wrote to memory of 3640 2172 cmd.exe 116 PID 2172 wrote to memory of 1160 2172 cmd.exe 117 PID 2172 wrote to memory of 1160 2172 cmd.exe 117 PID 2172 wrote to memory of 2144 2172 cmd.exe 118 PID 2172 wrote to memory of 2144 2172 cmd.exe 118 PID 2172 wrote to memory of 3164 2172 cmd.exe 119 PID 2172 wrote to memory of 3164 2172 cmd.exe 119 PID 2172 wrote to memory of 1684 2172 cmd.exe 120 PID 2172 wrote to memory of 1684 2172 cmd.exe 120 PID 2172 wrote to memory of 4564 2172 cmd.exe 121 PID 2172 wrote to memory of 4564 2172 cmd.exe 121 PID 2172 wrote to memory of 4428 2172 cmd.exe 123 PID 2172 wrote to memory of 4428 2172 cmd.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Koa_Paid_Tweak_Tool.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\reg.exeReg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3808
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵PID:3096
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵PID:2080
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵PID:3856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'KoaPaid' -RestorePointType 'MODIFY_SETTINGS'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:3244
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "122" /f2⤵PID:1844
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3508
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f2⤵PID:2988
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2352
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f2⤵PID:1964
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3120
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f2⤵PID:4724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:1636
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:4532
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:3088
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f2⤵PID:2296
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:3640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵PID:1160
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2144
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f2⤵PID:3164
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:4564
-
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4428
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82