Overview
overview
10Static
static
7a6e9684002...c0.exe
windows7-x64
10a6e9684002...c0.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_39_/PowerRun64.exe
windows7-x64
4$_39_/PowerRun64.exe
windows10-2004-x64
3$_39_/SetACL64.exe
windows7-x64
1$_39_/SetACL64.exe
windows10-2004-x64
1$_39_/bn.bat
windows7-x64
1$_39_/bn.bat
windows10-2004-x64
1$_39_/bn1.bat
windows7-x64
10$_39_/bn1.bat
windows10-2004-x64
10$_39_/bnn.bat
windows7-x64
1$_39_/bnn.bat
windows10-2004-x64
1$_39_/bnz.bat
windows7-x64
1$_39_/bnz.bat
windows10-2004-x64
1$_39_/dotN...up.exe
windows7-x64
7$_39_/dotN...up.exe
windows10-2004-x64
7$_39_/dotN...up.exe
windows7-x64
7$_39_/dotN...up.exe
windows10-2004-x64
7$_39_/tbjf...du.exe
windows7-x64
3$_39_/tbjf...du.exe
windows10-2004-x64
3$_39_/win_...rp.exe
windows7-x64
3$_39_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 02:38
Behavioral task
behavioral1
Sample
a6e96840029b64d72ddfd94ede969f521e1c05b91d5c23eee56b66afae6800c0.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
a6e96840029b64d72ddfd94ede969f521e1c05b91d5c23eee56b66afae6800c0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_39_/PowerRun64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
$_39_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_39_/SetACL64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$_39_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_39_/bn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$_39_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_39_/bn1.bat
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral14
Sample
$_39_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_39_/bnn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_39_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_39_/bnz.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
$_39_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_39_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$_39_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_39_/dotNetFx45_Full_setup.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
$_39_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_39_/tbjfarxhkycdu.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
$_39_/tbjfarxhkycdu.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_39_/win_version_csharp.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$_39_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_39_/bn.bat
-
Size
885B
-
MD5
b8f5f8991353b53c34e6909eced64f13
-
SHA1
5e039faaf0125202fec8087475c62248de7a3976
-
SHA256
f9b7a1395cd60cf2c03bc5b48c81742a6e2a9fc5f5d14dfb48232678c83f272e
-
SHA512
4e5b61f09a6672e4fd93ebccfc8ef25139db6e5200a8203b3950a68cb3251316aef30f86facc1f7560a7f1215647d63cdae0b0fd5ae094097ed180856206ef70
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeBackupPrivilege 2524 SetACL64.exe Token: SeRestorePrivilege 2524 SetACL64.exe Token: SeTakeOwnershipPrivilege 2524 SetACL64.exe Token: SeBackupPrivilege 2428 SetACL64.exe Token: SeRestorePrivilege 2428 SetACL64.exe Token: SeTakeOwnershipPrivilege 2428 SetACL64.exe Token: SeBackupPrivilege 2136 SetACL64.exe Token: SeRestorePrivilege 2136 SetACL64.exe Token: SeTakeOwnershipPrivilege 2136 SetACL64.exe Token: SeBackupPrivilege 2168 SetACL64.exe Token: SeRestorePrivilege 2168 SetACL64.exe Token: SeTakeOwnershipPrivilege 2168 SetACL64.exe Token: SeBackupPrivilege 1508 SetACL64.exe Token: SeRestorePrivilege 1508 SetACL64.exe Token: SeTakeOwnershipPrivilege 1508 SetACL64.exe Token: SeBackupPrivilege 1032 SetACL64.exe Token: SeRestorePrivilege 1032 SetACL64.exe Token: SeTakeOwnershipPrivilege 1032 SetACL64.exe Token: SeBackupPrivilege 1164 SetACL64.exe Token: SeRestorePrivilege 1164 SetACL64.exe Token: SeTakeOwnershipPrivilege 1164 SetACL64.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2524 2960 cmd.exe 31 PID 2960 wrote to memory of 2524 2960 cmd.exe 31 PID 2960 wrote to memory of 2524 2960 cmd.exe 31 PID 2960 wrote to memory of 2428 2960 cmd.exe 32 PID 2960 wrote to memory of 2428 2960 cmd.exe 32 PID 2960 wrote to memory of 2428 2960 cmd.exe 32 PID 2960 wrote to memory of 2136 2960 cmd.exe 33 PID 2960 wrote to memory of 2136 2960 cmd.exe 33 PID 2960 wrote to memory of 2136 2960 cmd.exe 33 PID 2960 wrote to memory of 2168 2960 cmd.exe 34 PID 2960 wrote to memory of 2168 2960 cmd.exe 34 PID 2960 wrote to memory of 2168 2960 cmd.exe 34 PID 2960 wrote to memory of 1508 2960 cmd.exe 35 PID 2960 wrote to memory of 1508 2960 cmd.exe 35 PID 2960 wrote to memory of 1508 2960 cmd.exe 35 PID 2960 wrote to memory of 1032 2960 cmd.exe 36 PID 2960 wrote to memory of 1032 2960 cmd.exe 36 PID 2960 wrote to memory of 1032 2960 cmd.exe 36 PID 2960 wrote to memory of 1164 2960 cmd.exe 37 PID 2960 wrote to memory of 1164 2960 cmd.exe 37 PID 2960 wrote to memory of 1164 2960 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$_39_\bn.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\$_39_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-