b6f677ed348de7160677ca453846e77713ba1b2e9820b03be282956626725eca

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boot/1.bat
Size

2KB
MD5

5796d9a4ba133117ed2873ea8f0a9d52
SHA1

ed249bd98b8da480c8245f20b789f75d8a8621fd
SHA256

1382faa9d7a174cd4d91ae5ea9ae3cde45b2304642cefcc7c1ee133af27f3715
SHA512

10b95f6c3cc8c070ab8c46b5f410caea7aa9811e91aaa0568094897628bd03e36db699892cbd83455259fcf698e2a3e6eeaa9190cb1842078a0fd3c7b2b7e240

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 59 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4588	bcdedit.exe
4856	bcdedit.exe
368	bcdedit.exe
2324	bcdedit.exe
4460	bcdedit.exe
1856	bcdedit.exe
1552	bcdedit.exe
3248	bcdedit.exe
4072	bcdedit.exe
3244	bcdedit.exe
5040	bcdedit.exe
2544	bcdedit.exe
5056	bcdedit.exe
4700	bcdedit.exe
2204	bcdedit.exe
4568	bcdedit.exe
2664	bcdedit.exe
4332	bcdedit.exe
4284	bcdedit.exe
1488	bcdedit.exe
2336	bcdedit.exe
1460	bcdedit.exe
920	bcdedit.exe
1396	bcdedit.exe
728	bcdedit.exe
4640	bcdedit.exe
3860	bcdedit.exe
1012	bcdedit.exe
4020	bcdedit.exe
1620	bcdedit.exe
3972	bcdedit.exe
2600	bcdedit.exe
1752	bcdedit.exe
3180	bcdedit.exe
1776	bcdedit.exe
3436	bcdedit.exe
1560	bcdedit.exe
2108	bcdedit.exe
2572	bcdedit.exe
2424	bcdedit.exe
3220	bcdedit.exe
2476	bcdedit.exe
4004	bcdedit.exe
2508	bcdedit.exe
1568	bcdedit.exe
832	bcdedit.exe
4516	bcdedit.exe
3716	bcdedit.exe
1824	bcdedit.exe
5108	bcdedit.exe
4128	bcdedit.exe
2768	bcdedit.exe
2256	bcdedit.exe
4904	bcdedit.exe
2196	bcdedit.exe
5028	bcdedit.exe
4984	bcdedit.exe
4860	bcdedit.exe
3292	bcdedit.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3392	timeout.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3648	2024	cmd.exe	84
PID 2024 wrote to memory of 3648	2024	cmd.exe	84
PID 2024 wrote to memory of 3392	2024	cmd.exe	85
PID 2024 wrote to memory of 3392	2024	cmd.exe	85
PID 2024 wrote to memory of 4588	2024	cmd.exe	96
PID 2024 wrote to memory of 4588	2024	cmd.exe	96
PID 2024 wrote to memory of 4856	2024	cmd.exe	97
PID 2024 wrote to memory of 4856	2024	cmd.exe	97
PID 2024 wrote to memory of 368	2024	cmd.exe	98
PID 2024 wrote to memory of 368	2024	cmd.exe	98
PID 2024 wrote to memory of 2324	2024	cmd.exe	99
PID 2024 wrote to memory of 2324	2024	cmd.exe	99
PID 2024 wrote to memory of 4460	2024	cmd.exe	100
PID 2024 wrote to memory of 4460	2024	cmd.exe	100
PID 2024 wrote to memory of 1856	2024	cmd.exe	101
PID 2024 wrote to memory of 1856	2024	cmd.exe	101
PID 2024 wrote to memory of 1552	2024	cmd.exe	102
PID 2024 wrote to memory of 1552	2024	cmd.exe	102
PID 2024 wrote to memory of 3248	2024	cmd.exe	103
PID 2024 wrote to memory of 3248	2024	cmd.exe	103
PID 2024 wrote to memory of 4072	2024	cmd.exe	104
PID 2024 wrote to memory of 4072	2024	cmd.exe	104
PID 2024 wrote to memory of 3244	2024	cmd.exe	105
PID 2024 wrote to memory of 3244	2024	cmd.exe	105
PID 2024 wrote to memory of 5040	2024	cmd.exe	106
PID 2024 wrote to memory of 5040	2024	cmd.exe	106
PID 2024 wrote to memory of 2544	2024	cmd.exe	107
PID 2024 wrote to memory of 2544	2024	cmd.exe	107
PID 2024 wrote to memory of 5056	2024	cmd.exe	108
PID 2024 wrote to memory of 5056	2024	cmd.exe	108
PID 2024 wrote to memory of 4700	2024	cmd.exe	109
PID 2024 wrote to memory of 4700	2024	cmd.exe	109
PID 2024 wrote to memory of 2204	2024	cmd.exe	110
PID 2024 wrote to memory of 2204	2024	cmd.exe	110
PID 2024 wrote to memory of 4568	2024	cmd.exe	111
PID 2024 wrote to memory of 4568	2024	cmd.exe	111
PID 2024 wrote to memory of 2664	2024	cmd.exe	112
PID 2024 wrote to memory of 2664	2024	cmd.exe	112
PID 2024 wrote to memory of 4332	2024	cmd.exe	113
PID 2024 wrote to memory of 4332	2024	cmd.exe	113
PID 2024 wrote to memory of 4284	2024	cmd.exe	114
PID 2024 wrote to memory of 4284	2024	cmd.exe	114
PID 2024 wrote to memory of 1488	2024	cmd.exe	115
PID 2024 wrote to memory of 1488	2024	cmd.exe	115
PID 2024 wrote to memory of 2336	2024	cmd.exe	116
PID 2024 wrote to memory of 2336	2024	cmd.exe	116
PID 2024 wrote to memory of 1460	2024	cmd.exe	117
PID 2024 wrote to memory of 1460	2024	cmd.exe	117
PID 2024 wrote to memory of 920	2024	cmd.exe	118
PID 2024 wrote to memory of 920	2024	cmd.exe	118
PID 2024 wrote to memory of 1396	2024	cmd.exe	119
PID 2024 wrote to memory of 1396	2024	cmd.exe	119
PID 2024 wrote to memory of 728	2024	cmd.exe	120
PID 2024 wrote to memory of 728	2024	cmd.exe	120
PID 2024 wrote to memory of 4640	2024	cmd.exe	121
PID 2024 wrote to memory of 4640	2024	cmd.exe	121
PID 2024 wrote to memory of 3860	2024	cmd.exe	122
PID 2024 wrote to memory of 3860	2024	cmd.exe	122
PID 2024 wrote to memory of 1012	2024	cmd.exe	123
PID 2024 wrote to memory of 1012	2024	cmd.exe	123
PID 2024 wrote to memory of 4020	2024	cmd.exe	124
PID 2024 wrote to memory of 4020	2024	cmd.exe	124
PID 2024 wrote to memory of 1620	2024	cmd.exe	125
PID 2024 wrote to memory of 1620	2024	cmd.exe	125

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\boot\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\mode.com
  mode 105,25
  2⤵
  PID:3648
- C:\Windows\system32\timeout.exe
  timeout 5
  2⤵
  - Delays execution with timeout.exe
  PID:3392
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4588
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4856
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:368
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformclock false
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2324
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4460
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tscsyncpolicy legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1856
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tscsyncpolicy Enhanced
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1552
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nx AlwaysOff
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3248
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4072
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3244
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5040
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nx optout
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2544
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootux disabled
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5056
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootmenupolicy standard
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4700
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2204
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tpmbootentropy ForceDisable
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4568
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2664
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000067 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4332
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000069 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4284
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000068 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1488
- C:\Windows\system32\bcdedit.exe
  bcdedit /set linearaddress57 OptOut
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2336
- C:\Windows\system32\bcdedit.exe
  bcdedit /set increaseuserva 268435328
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1460
- C:\Windows\system32\bcdedit.exe
  bcdedit /set firstmegabytepolicy UseAll
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:920
- C:\Windows\system32\bcdedit.exe
  bcdedit /set avoidlowmemory 0x8000000
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1396
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nolowmem Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:728
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4640
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3860
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vsmlaunchtype Off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1012
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vm No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4020
- C:\Windows\system32\bcdedit.exe
  bcdedit /set configaccesspolicy Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1620
- C:\Windows\system32\bcdedit.exe
  bcdedit /set MSI Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3972
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usephysicaldestination No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2600
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usefirmwarepcisettings No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1752
- C:\Windows\system32\bcdedit.exe
  bcdedit /deletevalue useplatformclock
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3180
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1776
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3436
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1560
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nx optout
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2108
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootux disabled
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2572
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootmenupolicy standard
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3220
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2424
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tpmbootentropy ForceDisable
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2476
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4004
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000067 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2508
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000069 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1568
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000068 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4516
- C:\Windows\system32\bcdedit.exe
  bcdedit /set linearaddress57 OptOut
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:832
- C:\Windows\system32\bcdedit.exe
  bcdedit /set increaseuserva 268435328
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3716
- C:\Windows\system32\bcdedit.exe
  bcdedit /set firstmegabytepolicy UseAll
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1824
- C:\Windows\system32\bcdedit.exe
  bcdedit /set avoidlowmemory 0x8000000
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5108
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nolowmem Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4128
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2768
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2256
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vsmlaunchtype Off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4904
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vm No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5028
- C:\Windows\system32\bcdedit.exe
  bcdedit /set configaccesspolicy Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2196
- C:\Windows\system32\bcdedit.exe
  bcdedit /set MSI Default
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4860
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usephysicaldestination No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4984
- C:\Windows\system32\bcdedit.exe
  bcdedit /set usefirmwarepcisettings No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Windows 7 deprecation

Loading Replay Monitor...