Overview
overview
10Static
static
7d01c7369d4...8N.exe
windows7-x64
10d01c7369d4...8N.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_57_/PowerRun64.exe
windows7-x64
4$_57_/PowerRun64.exe
windows10-2004-x64
3$_57_/SetACL64.exe
windows7-x64
1$_57_/SetACL64.exe
windows10-2004-x64
1$_57_/bn.bat
windows7-x64
1$_57_/bn.bat
windows10-2004-x64
1$_57_/bn1.bat
windows7-x64
10$_57_/bn1.bat
windows10-2004-x64
10$_57_/bnn.bat
windows7-x64
1$_57_/bnn.bat
windows10-2004-x64
1$_57_/bnz.bat
windows7-x64
1$_57_/bnz.bat
windows10-2004-x64
1$_57_/dotN...up.exe
windows7-x64
7$_57_/dotN...up.exe
windows10-2004-x64
7$_57_/dotN...up.exe
windows7-x64
7$_57_/dotN...up.exe
windows10-2004-x64
7$_57_/ucmigp.exe
windows7-x64
3$_57_/ucmigp.exe
windows10-2004-x64
3$_57_/win_...rp.exe
windows7-x64
3$_57_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 08:58
Behavioral task
behavioral1
Sample
d01c7369d4e4f521de836b03f80006aad05aa71d81eaf4402c55b4b9b50c5038N.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
d01c7369d4e4f521de836b03f80006aad05aa71d81eaf4402c55b4b9b50c5038N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_57_/PowerRun64.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral8
Sample
$_57_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_57_/SetACL64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$_57_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_57_/bn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$_57_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_57_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$_57_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_57_/bnn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_57_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_57_/bnz.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$_57_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_57_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$_57_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_57_/dotNetFx45_Full_setup.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
$_57_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_57_/ucmigp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
$_57_/ucmigp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_57_/win_version_csharp.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$_57_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_57_/bn.bat
-
Size
885B
-
MD5
b8f5f8991353b53c34e6909eced64f13
-
SHA1
5e039faaf0125202fec8087475c62248de7a3976
-
SHA256
f9b7a1395cd60cf2c03bc5b48c81742a6e2a9fc5f5d14dfb48232678c83f272e
-
SHA512
4e5b61f09a6672e4fd93ebccfc8ef25139db6e5200a8203b3950a68cb3251316aef30f86facc1f7560a7f1215647d63cdae0b0fd5ae094097ed180856206ef70
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeBackupPrivilege 4544 SetACL64.exe Token: SeRestorePrivilege 4544 SetACL64.exe Token: SeTakeOwnershipPrivilege 4544 SetACL64.exe Token: SeBackupPrivilege 1152 SetACL64.exe Token: SeRestorePrivilege 1152 SetACL64.exe Token: SeTakeOwnershipPrivilege 1152 SetACL64.exe Token: SeBackupPrivilege 3496 SetACL64.exe Token: SeRestorePrivilege 3496 SetACL64.exe Token: SeTakeOwnershipPrivilege 3496 SetACL64.exe Token: SeBackupPrivilege 216 SetACL64.exe Token: SeRestorePrivilege 216 SetACL64.exe Token: SeTakeOwnershipPrivilege 216 SetACL64.exe Token: SeBackupPrivilege 1156 SetACL64.exe Token: SeRestorePrivilege 1156 SetACL64.exe Token: SeTakeOwnershipPrivilege 1156 SetACL64.exe Token: SeBackupPrivilege 232 SetACL64.exe Token: SeRestorePrivilege 232 SetACL64.exe Token: SeTakeOwnershipPrivilege 232 SetACL64.exe Token: SeBackupPrivilege 4712 SetACL64.exe Token: SeRestorePrivilege 4712 SetACL64.exe Token: SeTakeOwnershipPrivilege 4712 SetACL64.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4088 wrote to memory of 4544 4088 cmd.exe 85 PID 4088 wrote to memory of 4544 4088 cmd.exe 85 PID 4088 wrote to memory of 1152 4088 cmd.exe 86 PID 4088 wrote to memory of 1152 4088 cmd.exe 86 PID 4088 wrote to memory of 3496 4088 cmd.exe 87 PID 4088 wrote to memory of 3496 4088 cmd.exe 87 PID 4088 wrote to memory of 216 4088 cmd.exe 88 PID 4088 wrote to memory of 216 4088 cmd.exe 88 PID 4088 wrote to memory of 1156 4088 cmd.exe 89 PID 4088 wrote to memory of 1156 4088 cmd.exe 89 PID 4088 wrote to memory of 232 4088 cmd.exe 90 PID 4088 wrote to memory of 232 4088 cmd.exe 90 PID 4088 wrote to memory of 4712 4088 cmd.exe 91 PID 4088 wrote to memory of 4712 4088 cmd.exe 91
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$_57_\bn.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Users\Admin\AppData\Local\Temp\$_57_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712
-