a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsSavesSessionDll/9KjI6fqbs0yhjc5d8qYY.bat
Size

154B
MD5

24c4210b146054c31eb1f4e01f0f4005
SHA1

340eb576f0bc822344328fa3edf6638a60124381
SHA256

bf807e7bc8dbbebecd7a334f77b9a0b0eec352846fd673bdeab482642002ae2f
SHA512

46554f3f2441374a05ceee70c477aed58717f4e7e05ab57daa494f38a8f2b67b2f462a4a170bf4d3c54340d689934ca38462ee77299bca84cfdd0a7fe07dfa92

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2376	reg.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1696 wrote to memory of 2376	1696	cmd.exe	31
PID 1696 wrote to memory of 2376	1696	cmd.exe	31
PID 1696 wrote to memory of 2376	1696	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\9KjI6fqbs0yhjc5d8qYY.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads