3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/4 - Process Destroyer V2.1/Process Destroyer 2.1.bat
Size

3KB
MD5

07eb39b2e136e2b6346ef8d4d20465a1
SHA1

1396dc3772079e611a2cf738b6f67c65f3743704
SHA256

1eec0e628ad9eaeab06c2174c5f526e5ec305e948371507cd1aaaf56e7246cce
SHA512

092372ec030b7962d438123ee0a125dd0eeb2744ede249b6153c29a9f8b1c9c57be19eff64dd8f862d4d2063a2c268acda3cb6bb412481561f3636bf74dd4d67

Score

10^/10

defense_evasion evasion

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Modifies Security services 2 TTPs 2 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
980	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2312	taskkill.exe
2180	taskkill.exe
2328	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2328	1964	cmd.exe	31
PID 1964 wrote to memory of 2328	1964	cmd.exe	31
PID 1964 wrote to memory of 2328	1964	cmd.exe	31
PID 1964 wrote to memory of 2312	1964	cmd.exe	33
PID 1964 wrote to memory of 2312	1964	cmd.exe	33
PID 1964 wrote to memory of 2312	1964	cmd.exe	33
PID 1964 wrote to memory of 2180	1964	cmd.exe	34
PID 1964 wrote to memory of 2180	1964	cmd.exe	34
PID 1964 wrote to memory of 2180	1964	cmd.exe	34
PID 1964 wrote to memory of 2716	1964	cmd.exe	35
PID 1964 wrote to memory of 2716	1964	cmd.exe	35
PID 1964 wrote to memory of 2716	1964	cmd.exe	35
PID 1964 wrote to memory of 2740	1964	cmd.exe	36
PID 1964 wrote to memory of 2740	1964	cmd.exe	36
PID 1964 wrote to memory of 2740	1964	cmd.exe	36
PID 1964 wrote to memory of 2836	1964	cmd.exe	37
PID 1964 wrote to memory of 2836	1964	cmd.exe	37
PID 1964 wrote to memory of 2836	1964	cmd.exe	37
PID 1964 wrote to memory of 2852	1964	cmd.exe	38
PID 1964 wrote to memory of 2852	1964	cmd.exe	38
PID 1964 wrote to memory of 2852	1964	cmd.exe	38
PID 1964 wrote to memory of 2856	1964	cmd.exe	39
PID 1964 wrote to memory of 2856	1964	cmd.exe	39
PID 1964 wrote to memory of 2856	1964	cmd.exe	39
PID 1964 wrote to memory of 2888	1964	cmd.exe	40
PID 1964 wrote to memory of 2888	1964	cmd.exe	40
PID 1964 wrote to memory of 2888	1964	cmd.exe	40
PID 1964 wrote to memory of 2896	1964	cmd.exe	41
PID 1964 wrote to memory of 2896	1964	cmd.exe	41
PID 1964 wrote to memory of 2896	1964	cmd.exe	41
PID 1964 wrote to memory of 2840	1964	cmd.exe	42
PID 1964 wrote to memory of 2840	1964	cmd.exe	42
PID 1964 wrote to memory of 2840	1964	cmd.exe	42
PID 1964 wrote to memory of 2768	1964	cmd.exe	43
PID 1964 wrote to memory of 2768	1964	cmd.exe	43
PID 1964 wrote to memory of 2768	1964	cmd.exe	43
PID 1964 wrote to memory of 2824	1964	cmd.exe	44
PID 1964 wrote to memory of 2824	1964	cmd.exe	44
PID 1964 wrote to memory of 2824	1964	cmd.exe	44
PID 1964 wrote to memory of 2752	1964	cmd.exe	45
PID 1964 wrote to memory of 2752	1964	cmd.exe	45
PID 1964 wrote to memory of 2752	1964	cmd.exe	45
PID 1964 wrote to memory of 2736	1964	cmd.exe	46
PID 1964 wrote to memory of 2736	1964	cmd.exe	46
PID 1964 wrote to memory of 2736	1964	cmd.exe	46
PID 1964 wrote to memory of 2744	1964	cmd.exe	47
PID 1964 wrote to memory of 2744	1964	cmd.exe	47
PID 1964 wrote to memory of 2744	1964	cmd.exe	47
PID 1964 wrote to memory of 2804	1964	cmd.exe	48
PID 1964 wrote to memory of 2804	1964	cmd.exe	48
PID 1964 wrote to memory of 2804	1964	cmd.exe	48
PID 1964 wrote to memory of 2260	1964	cmd.exe	49
PID 1964 wrote to memory of 2260	1964	cmd.exe	49
PID 1964 wrote to memory of 2260	1964	cmd.exe	49
PID 1964 wrote to memory of 2992	1964	cmd.exe	50
PID 1964 wrote to memory of 2992	1964	cmd.exe	50
PID 1964 wrote to memory of 2992	1964	cmd.exe	50
PID 1964 wrote to memory of 2772	1964	cmd.exe	51
PID 1964 wrote to memory of 2772	1964	cmd.exe	51
PID 1964 wrote to memory of 2772	1964	cmd.exe	51
PID 1964 wrote to memory of 2096	1964	cmd.exe	52
PID 1964 wrote to memory of 2096	1964	cmd.exe	52
PID 1964 wrote to memory of 2096	1964	cmd.exe	52
PID 1964 wrote to memory of 2864	1964	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\taskkill.exe
  taskkill /f /im ctfmon.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\system32\taskkill.exe
  taskkill /f /im backgroundTaskHost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TextInputHost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2896
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2840
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2768
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2260
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2096
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2628
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2644
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2684
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2732
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:996
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads