8b515e5fef4bf198eb37b562ec30923f3a4724e8c4e93119adcc81e2ff6a4fb1

Analysis

max time kernel
64s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2023, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.bat
Size

2KB
MD5

e201d58f2e7e64828ab5f6ada6c16f55
SHA1

3b8cd942176a020e7bee7ecb9dfe2714111c9d9a
SHA256

8b515e5fef4bf198eb37b562ec30923f3a4724e8c4e93119adcc81e2ff6a4fb1
SHA512

38dfa4892b83a49e37bef44f00c2390efd5b2ad7fbb8f5087b938da762208aa9c8de80c9f9a7fe58f41b32b6aaed2176eceb77ccca9b3960cc573a04cf2b9515

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 9 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3280	netsh.exe
1772	netsh.exe
1868	netsh.exe
4712	netsh.exe
3836	netsh.exe
3076	netsh.exe
3832	netsh.exe
1708	netsh.exe
4256	netsh.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3220	ipconfig.exe
1428	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
232	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4876	WMIC.exe
Token: SeSecurityPrivilege	4876	WMIC.exe
Token: SeTakeOwnershipPrivilege	4876	WMIC.exe
Token: SeLoadDriverPrivilege	4876	WMIC.exe
Token: SeSystemProfilePrivilege	4876	WMIC.exe
Token: SeSystemtimePrivilege	4876	WMIC.exe
Token: SeProfSingleProcessPrivilege	4876	WMIC.exe
Token: SeIncBasePriorityPrivilege	4876	WMIC.exe
Token: SeCreatePagefilePrivilege	4876	WMIC.exe
Token: SeBackupPrivilege	4876	WMIC.exe
Token: SeRestorePrivilege	4876	WMIC.exe
Token: SeShutdownPrivilege	4876	WMIC.exe
Token: SeDebugPrivilege	4876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4876	WMIC.exe
Token: SeRemoteShutdownPrivilege	4876	WMIC.exe
Token: SeUndockPrivilege	4876	WMIC.exe
Token: SeManageVolumePrivilege	4876	WMIC.exe
Token: 33	4876	WMIC.exe
Token: 34	4876	WMIC.exe
Token: 35	4876	WMIC.exe
Token: 36	4876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4876	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3800	2724	cmd.exe	86
PID 2724 wrote to memory of 3800	2724	cmd.exe	86
PID 2724 wrote to memory of 996	2724	cmd.exe	87
PID 2724 wrote to memory of 996	2724	cmd.exe	87
PID 2724 wrote to memory of 1428	2724	cmd.exe	88
PID 2724 wrote to memory of 1428	2724	cmd.exe	88
PID 2724 wrote to memory of 3220	2724	cmd.exe	89
PID 2724 wrote to memory of 3220	2724	cmd.exe	89
PID 2724 wrote to memory of 3496	2724	cmd.exe	90
PID 2724 wrote to memory of 3496	2724	cmd.exe	90
PID 2724 wrote to memory of 1212	2724	cmd.exe	91
PID 2724 wrote to memory of 1212	2724	cmd.exe	91
PID 2724 wrote to memory of 4876	2724	cmd.exe	92
PID 2724 wrote to memory of 4876	2724	cmd.exe	92
PID 2724 wrote to memory of 232	2724	cmd.exe	93
PID 2724 wrote to memory of 232	2724	cmd.exe	93
PID 2724 wrote to memory of 1708	2724	cmd.exe	98
PID 2724 wrote to memory of 1708	2724	cmd.exe	98
PID 2724 wrote to memory of 1868	2724	cmd.exe	99
PID 2724 wrote to memory of 1868	2724	cmd.exe	99
PID 2724 wrote to memory of 4256	2724	cmd.exe	100
PID 2724 wrote to memory of 4256	2724	cmd.exe	100
PID 2724 wrote to memory of 4712	2724	cmd.exe	101
PID 2724 wrote to memory of 4712	2724	cmd.exe	101
PID 2724 wrote to memory of 3836	2724	cmd.exe	102
PID 2724 wrote to memory of 3836	2724	cmd.exe	102
PID 2724 wrote to memory of 3280	2724	cmd.exe	104
PID 2724 wrote to memory of 3280	2724	cmd.exe	104
PID 2724 wrote to memory of 1772	2724	cmd.exe	105
PID 2724 wrote to memory of 1772	2724	cmd.exe	105
PID 2724 wrote to memory of 3076	2724	cmd.exe	106
PID 2724 wrote to memory of 3076	2724	cmd.exe	106
PID 2724 wrote to memory of 3832	2724	cmd.exe	107
PID 2724 wrote to memory of 3832	2724	cmd.exe	107
PID 2724 wrote to memory of 3972	2724	cmd.exe	110
PID 2724 wrote to memory of 3972	2724	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Virus.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\nslookup.exe
  nslookup myip.opendns.com resolver1.opendns.com
  2⤵
  PID:3800
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:996
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1428
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3220
- C:\Windows\system32\find.exe
  find /i "IPv4"
  2⤵
  PID:3496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:232
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=
  2⤵
  - Modifies Windows Firewall
  PID:1708
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=
  2⤵
  - Modifies Windows Firewall
  PID:1868
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:4256
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=DISABLE
  2⤵
  - Modifies Windows Firewall
  PID:4712
- C:\Windows\system32\netsh.exe
  netsh advfirewall set currentprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3836
- C:\Windows\system32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3280
- C:\Windows\system32\netsh.exe
  netsh advfirewall set privateprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:1772
- C:\Windows\system32\netsh.exe
  netsh advfirewall set publicprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3076
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:3832
- C:\Windows\system32\mode.com
  mode 1000
  2⤵
  PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads