3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
98s
max time network
137s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/4 - Process Destroyer V2.1/Process Destroyer 2.1.bat
Size

3KB
MD5

07eb39b2e136e2b6346ef8d4d20465a1
SHA1

1396dc3772079e611a2cf738b6f67c65f3743704
SHA256

1eec0e628ad9eaeab06c2174c5f526e5ec305e948371507cd1aaaf56e7246cce
SHA512

092372ec030b7962d438123ee0a125dd0eeb2744ede249b6153c29a9f8b1c9c57be19eff64dd8f862d4d2063a2c268acda3cb6bb412481561f3636bf74dd4d67

Score

10^/10

defense_evasion evasion

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Modifies Security services 2 TTPs 2 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2944	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2580	taskkill.exe
4112	taskkill.exe
2756	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2580	5044	cmd.exe	81
PID 5044 wrote to memory of 2580	5044	cmd.exe	81
PID 5044 wrote to memory of 4112	5044	cmd.exe	83
PID 5044 wrote to memory of 4112	5044	cmd.exe	83
PID 5044 wrote to memory of 2756	5044	cmd.exe	84
PID 5044 wrote to memory of 2756	5044	cmd.exe	84
PID 5044 wrote to memory of 3296	5044	cmd.exe	85
PID 5044 wrote to memory of 3296	5044	cmd.exe	85
PID 5044 wrote to memory of 4756	5044	cmd.exe	86
PID 5044 wrote to memory of 4756	5044	cmd.exe	86
PID 5044 wrote to memory of 4940	5044	cmd.exe	87
PID 5044 wrote to memory of 4940	5044	cmd.exe	87
PID 5044 wrote to memory of 2828	5044	cmd.exe	88
PID 5044 wrote to memory of 2828	5044	cmd.exe	88
PID 5044 wrote to memory of 1864	5044	cmd.exe	89
PID 5044 wrote to memory of 1864	5044	cmd.exe	89
PID 5044 wrote to memory of 2328	5044	cmd.exe	90
PID 5044 wrote to memory of 2328	5044	cmd.exe	90
PID 5044 wrote to memory of 228	5044	cmd.exe	91
PID 5044 wrote to memory of 228	5044	cmd.exe	91
PID 5044 wrote to memory of 3892	5044	cmd.exe	92
PID 5044 wrote to memory of 3892	5044	cmd.exe	92
PID 5044 wrote to memory of 2060	5044	cmd.exe	93
PID 5044 wrote to memory of 2060	5044	cmd.exe	93
PID 5044 wrote to memory of 4668	5044	cmd.exe	94
PID 5044 wrote to memory of 4668	5044	cmd.exe	94
PID 5044 wrote to memory of 2956	5044	cmd.exe	95
PID 5044 wrote to memory of 2956	5044	cmd.exe	95
PID 5044 wrote to memory of 4564	5044	cmd.exe	96
PID 5044 wrote to memory of 4564	5044	cmd.exe	96
PID 5044 wrote to memory of 4208	5044	cmd.exe	97
PID 5044 wrote to memory of 4208	5044	cmd.exe	97
PID 5044 wrote to memory of 4700	5044	cmd.exe	98
PID 5044 wrote to memory of 4700	5044	cmd.exe	98
PID 5044 wrote to memory of 4428	5044	cmd.exe	99
PID 5044 wrote to memory of 4428	5044	cmd.exe	99
PID 5044 wrote to memory of 3412	5044	cmd.exe	100
PID 5044 wrote to memory of 3412	5044	cmd.exe	100
PID 5044 wrote to memory of 3232	5044	cmd.exe	101
PID 5044 wrote to memory of 3232	5044	cmd.exe	101
PID 5044 wrote to memory of 4184	5044	cmd.exe	102
PID 5044 wrote to memory of 4184	5044	cmd.exe	102
PID 5044 wrote to memory of 2516	5044	cmd.exe	103
PID 5044 wrote to memory of 2516	5044	cmd.exe	103
PID 5044 wrote to memory of 3464	5044	cmd.exe	104
PID 5044 wrote to memory of 3464	5044	cmd.exe	104
PID 5044 wrote to memory of 1492	5044	cmd.exe	105
PID 5044 wrote to memory of 1492	5044	cmd.exe	105
PID 5044 wrote to memory of 4900	5044	cmd.exe	106
PID 5044 wrote to memory of 4900	5044	cmd.exe	106
PID 5044 wrote to memory of 312	5044	cmd.exe	107
PID 5044 wrote to memory of 312	5044	cmd.exe	107
PID 5044 wrote to memory of 1744	5044	cmd.exe	108
PID 5044 wrote to memory of 1744	5044	cmd.exe	108
PID 5044 wrote to memory of 2672	5044	cmd.exe	109
PID 5044 wrote to memory of 2672	5044	cmd.exe	109
PID 5044 wrote to memory of 1200	5044	cmd.exe	110
PID 5044 wrote to memory of 1200	5044	cmd.exe	110
PID 5044 wrote to memory of 2408	5044	cmd.exe	111
PID 5044 wrote to memory of 2408	5044	cmd.exe	111
PID 5044 wrote to memory of 3704	5044	cmd.exe	112
PID 5044 wrote to memory of 3704	5044	cmd.exe	112
PID 5044 wrote to memory of 3108	5044	cmd.exe	113
PID 5044 wrote to memory of 3108	5044	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\taskkill.exe
  taskkill /f /im ctfmon.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\taskkill.exe
  taskkill /f /im backgroundTaskHost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TextInputHost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:4940
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:228
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3892
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4668
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4208
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:4428
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3412
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3232
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:312
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3108
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3356
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:5032
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:628
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:548
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2512
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4560
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3320
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3468
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads