Overview

overview

10

Static

static

3

Windows11D...er.ps1

windows7-x64

10

Windows11D...er.ps1

windows10-2004-x64

9

Windows11D...et.ps1

windows7-x64

3

Windows11D...et.ps1

windows10-2004-x64

3

Windows11D...er.ps1

windows7-x64

10

Windows11D...er.ps1

windows10-2004-x64

10

Windows11D...ns.ps1

windows7-x64

3

Windows11D...ns.ps1

windows10-2004-x64

3

Windows11D...er.exe

windows7-x64

1

Windows11D...er.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    84s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows11DebloaterV205/Config/ezdebloater/ezdebloater.ps1

  • Size

    52KB

  • MD5

    e00cf4301db40d49990672255a164eb2

  • SHA1

    32ec132aa7825535bd70f1c6c284f707db08c181

  • SHA256

    6456d8389910e5e584bafad8aca74d1c228acdeafc194a552232cd5039fc3980

  • SHA512

    749b95809afcc88ef92da1551a388085f39f5892d5722655a6d36724ed734814692ac26cd828c19404f995ce06a65cddefcbf27d6eaf391fe83ae133171bafe4

  • SSDEEP

    1536:3YxKHezR4N0RUxBZA3bz8gNE6yu0xFD2N8:3Yxbl4N0ORA3bz8gnyu0xFD2N8

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceransomware

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Windows11DebloaterV205\Config\ezdebloater\ezdebloater.ps1
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Command and Scripting Interpreter: PowerShell
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\bcdedit.exe
      "C:\Windows\system32\bcdedit.exe" /set {current} bootmenupolicy Legacy
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3036
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:(OI)(CI)F
      2⤵
      • Modifies file permissions
      PID:1692
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /grant:r SYSTEM:(OI)(CI)F
      2⤵
      • Modifies file permissions
      PID:2332
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c RD /S /Q %WinDir%\System32\GroupPolicyUsers
      2⤵
        PID:2668
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c RD /S /Q %WinDir%\System32\GroupPolicy
        2⤵
          PID:2408
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c gpupdate /force
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\system32\gpupdate.exe
            gpupdate /force
            3⤵
              PID:560
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000002F8"
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005B4" "00000000000003E8"
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:772
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x590
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1480
        • C:\Windows\system32\SearchIndexer.exe
          C:\Windows\system32\SearchIndexer.exe /Embedding
          1⤵
            PID:2444
            • C:\Windows\system32\SearchProtocolHost.exe
              "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
              2⤵
                PID:2148
              • C:\Windows\system32\SearchFilterHost.exe
                "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
                2⤵
                  PID:752
                • C:\Windows\system32\SearchProtocolHost.exe
                  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                  2⤵
                    PID:2784

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
                  Filesize

                  1024KB

                  MD5

                  51da34a4f22540e7676f7e66bbb3d544

                  SHA1

                  963a8594079797affc9f8761097d2923fbdaaa79

                  SHA256

                  9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

                  SHA512

                  33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

                  Download Submit

                • memory/2304-6-0x000000001B160000-0x000000001B442000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2304-5-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-7-0x0000000002310000-0x0000000002318000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2304-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-12-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2304-13-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-14-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-15-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-91-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2304-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-62-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-113-0x0000000003660000-0x0000000003668000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-17-0x0000000001840000-0x0000000001850000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2444-68-0x0000000001440000-0x0000000001448000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-70-0x0000000001170000-0x0000000001171000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-79-0x00000000014A0000-0x00000000014A8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-90-0x00000000032D0000-0x00000000032D8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-33-0x0000000001940000-0x0000000001950000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2444-107-0x0000000003660000-0x0000000003661000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-56-0x0000000001440000-0x0000000001448000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-114-0x0000000003940000-0x0000000003948000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-115-0x0000000003930000-0x0000000003931000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-120-0x0000000003A10000-0x0000000003A11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-127-0x0000000003A10000-0x0000000003A18000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-129-0x0000000003A30000-0x0000000003A31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-135-0x0000000004D00000-0x0000000004D08000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-163-0x0000000003650000-0x0000000003658000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-164-0x0000000003640000-0x0000000003641000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2444-169-0x0000000003650000-0x0000000003658000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2444-170-0x0000000003640000-0x0000000003641000-memory.dmp

                  Filesize

                  4KB

                  Download