Overview

overview

10

Static

static

3

boot/1.bat

windows7-x64

9

boot/1.bat

windows10-2004-x64

9

boot/1.py

windows7-x64

3

boot/1.py

windows10-2004-x64

3

boot/2.bat

windows7-x64

7

boot/2.bat

windows10-2004-x64

1

boot/2.py

windows7-x64

3

boot/2.py

windows10-2004-x64

3

boot/3.py

windows7-x64

3

boot/3.py

windows10-2004-x64

3

boot/FixBug.bat

windows7-x64

1

boot/FixBug.bat

windows10-2004-x64

1

boot/Output.exe

windows7-x64

10

boot/Output.exe

windows10-2004-x64

10

boot/fix bug.py

windows7-x64

3

boot/fix bug.py

windows10-2004-x64

3

boot/gif.py

windows7-x64

3

boot/gif.py

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boot/1.bat

  • Size

    2KB

  • MD5

    5796d9a4ba133117ed2873ea8f0a9d52

  • SHA1

    ed249bd98b8da480c8245f20b789f75d8a8621fd

  • SHA256

    1382faa9d7a174cd4d91ae5ea9ae3cde45b2304642cefcc7c1ee133af27f3715

  • SHA512

    10b95f6c3cc8c070ab8c46b5f410caea7aa9811e91aaa0568094897628bd03e36db699892cbd83455259fcf698e2a3e6eeaa9190cb1842078a0fd3c7b2b7e240

Score
9/10
evasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 59 IoCs
    ransomwareevasion
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\boot\1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\system32\mode.com
      mode 105,25
      2⤵
        PID:2908
      • C:\Windows\system32\timeout.exe
        timeout 5
        2⤵
        • Delays execution with timeout.exe
        PID:2916
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set useplatformtick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1020
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set disabledynamictick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2320
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set useplatformtick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1896
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set useplatformclock false
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1852
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set disabledynamictick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1884
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set tscsyncpolicy legacy
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1812
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set tscsyncpolicy Enhanced
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1628
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set nx AlwaysOff
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2244
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set useplatformtick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2300
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set disabledynamictick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2516
      • C:\Windows\system32\bcdedit.exe
        bcdedit /timeout 0
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2520
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set nx optout
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2384
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set bootux disabled
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2708
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set bootmenupolicy standard
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2080
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set hypervisorlaunchtype off
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1676
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set tpmbootentropy ForceDisable
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1648
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set quietboot yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1624
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000067 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1684
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000069 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1840
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000068 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2136
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set linearaddress57 OptOut
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2324
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set increaseuserva 268435328
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2308
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set firstmegabytepolicy UseAll
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2616
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set avoidlowmemory 0x8000000
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2936
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set nolowmem Yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2528
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set allowedinmemorysettings 0x0
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2932
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set isolatedcontext No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2956
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set vsmlaunchtype Off
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2544
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set vm No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2264
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set configaccesspolicy Default
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2564
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set MSI Default
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2592
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set usephysicaldestination No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2632
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set usefirmwarepcisettings No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2636
      • C:\Windows\system32\bcdedit.exe
        bcdedit /deletevalue useplatformclock
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2672
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set disabledynamictick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2684
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set useplatformtick yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2688
      • C:\Windows\system32\bcdedit.exe
        bcdedit /timeout 0
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2628
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set nx optout
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2580
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set bootux disabled
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2568
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set bootmenupolicy standard
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2952
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set hypervisorlaunchtype off
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2796
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set tpmbootentropy ForceDisable
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2552
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set quietboot yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2704
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000067 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2596
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000069 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2472
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {globalsettings} custom:16000068 true
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2652
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set linearaddress57 OptOut
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2768
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set increaseuserva 268435328
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2776
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set firstmegabytepolicy UseAll
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2464
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set avoidlowmemory 0x8000000
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2460
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set nolowmem Yes
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2892
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set allowedinmemorysettings 0x0
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2600
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set isolatedcontext No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2608
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set vsmlaunchtype Off
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2480
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set vm No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2492
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set configaccesspolicy Default
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:864
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set MSI Default
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2440
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set usephysicaldestination No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2448
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set usefirmwarepcisettings No
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads