bfdbc187e2f5d6f0c06d7d96c29a8bec1d8e782f4fcb13466f3b10c9e7498b83

General

Target

OBF15x-1488.bat
Size

12KB
MD5

eacfa5cc7fc9d81a7f9fc51b54e5e9c5
SHA1

2bd45785d9aed1fc61077a9f2a6d971840de8b0e
SHA256

bfdbc187e2f5d6f0c06d7d96c29a8bec1d8e782f4fcb13466f3b10c9e7498b83
SHA512

06dba01c4c68e2d3b46b1d60693ec2c3a887cc3648be65f2600e7addf58f2a1071a874a187bf83bb54f23655384c6982524e2a54597d35ef18219aa36c66f885

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\de-DE\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mountmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rndismpx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srv2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\modem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\FWPKCLNT.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vgapnp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ws2ifsl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\1394ohci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rspndr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\usbport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\pacer.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rndismp6.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wdf01000.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\AGP440.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bthport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\RNDISMP.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bowser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksthunk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\atikmdag.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BTHUSB.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\serscan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Diskdump.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\pci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\pscr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxdav.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\partmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vwifibus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthpan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rndismpx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\tcpip.sys.mui	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exe

pid process

652 takeown.exe

pid	process
652	takeown.exe

Drops file in System32 directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\authui-DL.man	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR6193~1.INF\prnrc00c.cat	cmd.exe
File opened for modification	C:\Windows\System32\FXSCOM.dll	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\about_Assignment_Operators.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR9A57~1.INF\Amd64\CNB_0281.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\battery.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wpcumi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\SMBHelperClass.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\Registry.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\CXRAPT~3.INF\cxraptor_merlinc.rom	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMBW5~1.INF\mdmbw561.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR7DAE~1.INF\Amd64\BRH2170W.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY3~3.INF\prnky304.inf	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\WSMan.Format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\srcore.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRDD90~1.INF\Amd64\CNBBLP2.GPD	cmd.exe
File opened for modification	C:\Windows\System32\en-US\lmhsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\about_debuggers.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\about_methods.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRAE2B~1.INF\Amd64\EP0NH431.DLL	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\CertEnrollCtrl.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\wwanconn.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR9A57~1.INF\Amd64\CNB7TEAA.ICM	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNEP0~2.INF\Amd64\EP0LB040.GPD	cmd.exe
File opened for modification	C:\Windows\System32\en-US\userinit.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\msshavmsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\winlogon.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNCA0~3.INF\Amd64\CNBJOP8L.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNSV0~2.INF\Amd64\SV8025E6.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WSTORV~1.INF\storvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\setupapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\wpcumi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\faultrep.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMCXP~1.INF\VSTProf.cty	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY0~2.INF\Amd64\KYFS3900.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIABR0~2.INF\wiabr004.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\tsprint.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\sdiagprv.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\sysdm.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\mofcomp.exe	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NETXEX~1.INF\netxex64.PNF	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\upnp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\sigverif.exe	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MPIO~2.INF\mpio.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~1.INF\Amd64\HPZIPR12.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR51DC~1.INF\Amd64\KYTS300J.PPD	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\DevicePairingProxy.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\sppuinotify.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\MICROS~1\adammigrate.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\prnky006.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIALX0~3.INF\lxa3comc.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\disk.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\prnrc007.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\secinit.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\xml.xsl	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNLE0~1.INF\Amd64\LR131NL.GPD	cmd.exe
File opened for modification	C:\Windows\System32\en-US\MigAutoPlay.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WSDApi.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\BRMFCS~1.INF\brmfcsto.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~2.INF\Amd64\hpd1500t.xml	cmd.exe
File opened for modification	C:\Windows\System32\whealogr.dll	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\de-DE\about_profiles.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR6FA0~1.INF\Amd64\kyw7aut8.ini	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\xpsrchvw.exe.mui	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 652 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	652	takeown.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 752 wrote to memory of 652	752	cmd.exe	takeown.exe
PID 752 wrote to memory of 652	752	cmd.exe	takeown.exe
PID 752 wrote to memory of 652	752	cmd.exe	takeown.exe
PID 752 wrote to memory of 984	752	cmd.exe	shutdown.exe
PID 752 wrote to memory of 984	752	cmd.exe	shutdown.exe
PID 752 wrote to memory of 984	752	cmd.exe	shutdown.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OBF15x-1488.bat"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\shutdown.exe
shutdown shutdown -r -t 0
2⤵
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-55-0x0000000000000000-mapping.dmp

Download
memory/984-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads