83b8a52adde102c118a5c8a47fc9e83155601e0ab423b1887fa68a5e34cce1e6

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Пак/Специальн. твики/Network_Tweaks.bat
Size

3KB
MD5

257c9ccd5fa59498dbfcf75b07f30a73
SHA1

cd333e7847a91200d7281bc6d14f864908b1acfd
SHA256

d0a0f15415723601124794ccf93271fb5fac14b7c00c160dbddb7794968e802f
SHA512

26ebdc68c18a3006972030e32b05b69a9d949e10a312833818749aa109065f359a5eb5346d8ffe6c99dc3fc98f55aa7d384247d3e9fd3166605bbe901e4033f7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
708	powershell.exe
708	powershell.exe
2720	powershell.exe
2720	powershell.exe
4352	powershell.exe
4352	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	powershell.exe
Token: SeIncreaseQuotaPrivilege	708	powershell.exe
Token: SeSecurityPrivilege	708	powershell.exe
Token: SeTakeOwnershipPrivilege	708	powershell.exe
Token: SeLoadDriverPrivilege	708	powershell.exe
Token: SeSystemProfilePrivilege	708	powershell.exe
Token: SeSystemtimePrivilege	708	powershell.exe
Token: SeProfSingleProcessPrivilege	708	powershell.exe
Token: SeIncBasePriorityPrivilege	708	powershell.exe
Token: SeCreatePagefilePrivilege	708	powershell.exe
Token: SeBackupPrivilege	708	powershell.exe
Token: SeRestorePrivilege	708	powershell.exe
Token: SeShutdownPrivilege	708	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeSystemEnvironmentPrivilege	708	powershell.exe
Token: SeRemoteShutdownPrivilege	708	powershell.exe
Token: SeUndockPrivilege	708	powershell.exe
Token: SeManageVolumePrivilege	708	powershell.exe
Token: 33	708	powershell.exe
Token: 34	708	powershell.exe
Token: 35	708	powershell.exe
Token: 36	708	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeIncreaseQuotaPrivilege	2720	powershell.exe
Token: SeSecurityPrivilege	2720	powershell.exe
Token: SeTakeOwnershipPrivilege	2720	powershell.exe
Token: SeLoadDriverPrivilege	2720	powershell.exe
Token: SeSystemProfilePrivilege	2720	powershell.exe
Token: SeSystemtimePrivilege	2720	powershell.exe
Token: SeProfSingleProcessPrivilege	2720	powershell.exe
Token: SeIncBasePriorityPrivilege	2720	powershell.exe
Token: SeCreatePagefilePrivilege	2720	powershell.exe
Token: SeBackupPrivilege	2720	powershell.exe
Token: SeRestorePrivilege	2720	powershell.exe
Token: SeShutdownPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeSystemEnvironmentPrivilege	2720	powershell.exe
Token: SeRemoteShutdownPrivilege	2720	powershell.exe
Token: SeUndockPrivilege	2720	powershell.exe
Token: SeManageVolumePrivilege	2720	powershell.exe
Token: 33	2720	powershell.exe
Token: 34	2720	powershell.exe
Token: 35	2720	powershell.exe
Token: 36	2720	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4352	powershell.exe
Token: SeSecurityPrivilege	4352	powershell.exe
Token: SeTakeOwnershipPrivilege	4352	powershell.exe
Token: SeLoadDriverPrivilege	4352	powershell.exe
Token: SeSystemProfilePrivilege	4352	powershell.exe
Token: SeSystemtimePrivilege	4352	powershell.exe
Token: SeProfSingleProcessPrivilege	4352	powershell.exe
Token: SeIncBasePriorityPrivilege	4352	powershell.exe
Token: SeCreatePagefilePrivilege	4352	powershell.exe
Token: SeBackupPrivilege	4352	powershell.exe
Token: SeRestorePrivilege	4352	powershell.exe
Token: SeShutdownPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeSystemEnvironmentPrivilege	4352	powershell.exe
Token: SeRemoteShutdownPrivilege	4352	powershell.exe
Token: SeUndockPrivilege	4352	powershell.exe
Token: SeManageVolumePrivilege	4352	powershell.exe
Token: 33	4352	powershell.exe
Token: 34	4352	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4960	4944	cmd.exe	92
PID 4944 wrote to memory of 4960	4944	cmd.exe	92
PID 4944 wrote to memory of 2824	4944	cmd.exe	97
PID 4944 wrote to memory of 2824	4944	cmd.exe	97
PID 4944 wrote to memory of 4820	4944	cmd.exe	98
PID 4944 wrote to memory of 4820	4944	cmd.exe	98
PID 4944 wrote to memory of 5112	4944	cmd.exe	99
PID 4944 wrote to memory of 5112	4944	cmd.exe	99
PID 4944 wrote to memory of 4460	4944	cmd.exe	100
PID 4944 wrote to memory of 4460	4944	cmd.exe	100
PID 4944 wrote to memory of 1164	4944	cmd.exe	101
PID 4944 wrote to memory of 1164	4944	cmd.exe	101
PID 4944 wrote to memory of 4184	4944	cmd.exe	102
PID 4944 wrote to memory of 4184	4944	cmd.exe	102
PID 4944 wrote to memory of 3972	4944	cmd.exe	103
PID 4944 wrote to memory of 3972	4944	cmd.exe	103
PID 4944 wrote to memory of 3380	4944	cmd.exe	104
PID 4944 wrote to memory of 3380	4944	cmd.exe	104
PID 4944 wrote to memory of 832	4944	cmd.exe	105
PID 4944 wrote to memory of 832	4944	cmd.exe	105
PID 4944 wrote to memory of 4692	4944	cmd.exe	106
PID 4944 wrote to memory of 4692	4944	cmd.exe	106
PID 4944 wrote to memory of 3264	4944	cmd.exe	107
PID 4944 wrote to memory of 3264	4944	cmd.exe	107
PID 4944 wrote to memory of 3812	4944	cmd.exe	108
PID 4944 wrote to memory of 3812	4944	cmd.exe	108
PID 4944 wrote to memory of 3996	4944	cmd.exe	109
PID 4944 wrote to memory of 3996	4944	cmd.exe	109
PID 4944 wrote to memory of 708	4944	cmd.exe	110
PID 4944 wrote to memory of 708	4944	cmd.exe	110
PID 4944 wrote to memory of 2720	4944	cmd.exe	112
PID 4944 wrote to memory of 2720	4944	cmd.exe	112
PID 4944 wrote to memory of 4352	4944	cmd.exe	114
PID 4944 wrote to memory of 4352	4944	cmd.exe	114
PID 4944 wrote to memory of 3280	4944	cmd.exe	115
PID 4944 wrote to memory of 3280	4944	cmd.exe	115
PID 4944 wrote to memory of 4372	4944	cmd.exe	116
PID 4944 wrote to memory of 4372	4944	cmd.exe	116
PID 4944 wrote to memory of 3136	4944	cmd.exe	117
PID 4944 wrote to memory of 3136	4944	cmd.exe	117
PID 4944 wrote to memory of 5012	4944	cmd.exe	119
PID 4944 wrote to memory of 5012	4944	cmd.exe	119
PID 4944 wrote to memory of 4200	4944	cmd.exe	118
PID 4944 wrote to memory of 4200	4944	cmd.exe	118
PID 4944 wrote to memory of 1764	4944	cmd.exe	122
PID 4944 wrote to memory of 1764	4944	cmd.exe	122
PID 4944 wrote to memory of 4876	4944	cmd.exe	120
PID 4944 wrote to memory of 4876	4944	cmd.exe	120
PID 4944 wrote to memory of 1204	4944	cmd.exe	121
PID 4944 wrote to memory of 1204	4944	cmd.exe	121
PID 4944 wrote to memory of 2344	4944	cmd.exe	124
PID 4944 wrote to memory of 2344	4944	cmd.exe	124
PID 4944 wrote to memory of 4112	4944	cmd.exe	123
PID 4944 wrote to memory of 4112	4944	cmd.exe	123
PID 4944 wrote to memory of 2000	4944	cmd.exe	125
PID 4944 wrote to memory of 2000	4944	cmd.exe	125
PID 4944 wrote to memory of 1516	4944	cmd.exe	126
PID 4944 wrote to memory of 1516	4944	cmd.exe	126
PID 4944 wrote to memory of 3348	4944	cmd.exe	127
PID 4944 wrote to memory of 3348	4944	cmd.exe	127
PID 4944 wrote to memory of 1164	4944	cmd.exe	128
PID 4944 wrote to memory of 1164	4944	cmd.exe	128
PID 4944 wrote to memory of 3788	4944	cmd.exe	130
PID 4944 wrote to memory of 3788	4944	cmd.exe	130

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Пак\Специальн. твики\Network_Tweaks.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=disabled
  2⤵
  PID:4960
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  PID:2824
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  PID:4820
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  PID:5112
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=disabled
  2⤵
  PID:4460
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rss=enabled
  2⤵
  PID:1164
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  PID:4184
- C:\Windows\system32\netsh.exe
  netsh int tcp set global initialRto=2000
  2⤵
  PID:3972
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  PID:3380
- C:\Windows\system32\netsh.exe
  netsh int tcp set global maxsynretransmissions=2
  2⤵
  PID:832
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled
  2⤵
  PID:4692
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  PID:3264
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  PID:3812
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -MinRto 300"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetTCPSetting -SettingName InternetCustom -InitialCongestionWindow 10"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-NetOffloadGlobalSetting -Chimney Disabled"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
  2⤵
  PID:3280
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "1" /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
  2⤵
  PID:3136
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "UseDelayedAcceptance" /t REG_DWORD /d "0" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MaxSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:1204
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "30" /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:4112
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MinSockAddrLength" /t REG_DWORD /d "16" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:3116
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:1344
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f
  2⤵
  PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:3580
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:5052
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:4496
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6103fe5d5027cab041f301df51eac4c4

SHA1
c657565a144127c840a918019386d0215fd8c344

SHA256
417c4cb2b29babf944e6c41ea1b362908782127c5894ef0fe3372abc855fbfd3

SHA512
6a2ec9fb27a748a8de37064cca4464dbe2758b0711e6622c8ff6f2dccd8b332d933abc8014dfe22e0a86659211fc7c394d9ccbf965d1f253e4cf59ebb290d9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ff6ca6c8af16c7c43be05954f5fe433

SHA1
86fee6a5ce41340f80d9ee7106f79b40c4a8fba4

SHA256
b09faf9f77172902efb437763be280eeb1e461f3e484de4cafa43acb5aced7cb

SHA512
6737e7e23b65ab1b4a6760882c12fccb18b4596402a8bfb428790e42cba4062e57a661b7111aae493ed2509deca57c06d16ee4643c4cd4195786786bda898e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8c7052d0ceb101afa3a8164ecfb3c6

SHA1
1e5a09e16e6d45401910dd4afb09edfed0233469

SHA256
eea7d90996add012a77d3f99b6fc59faed70e59f9bd3bb70c3342000bd802085

SHA512
c749a048e3dfbc52bb57c65a3eeb25831d3e6c5f7c2027afb71008cf8acdaaf3af2720d34469f0ea7d977408eee0139b0734ac5ea399a35bca3896c2a0e87dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0cvcpkq.0uv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/708-9-0x000001E5ED920000-0x000001E5ED942000-memory.dmp

Filesize
136KB

Download
memory/708-10-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/708-11-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-12-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-13-0x000001E5D3050000-0x000001E5D3060000-memory.dmp

Filesize
64KB

Download
memory/708-16-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-18-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-19-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/2720-31-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/2720-33-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/2720-20-0x0000027F6A3D0000-0x0000027F6A3E0000-memory.dmp

Filesize
64KB

Download
memory/4352-43-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download
memory/4352-45-0x000001C477920000-0x000001C477930000-memory.dmp

Filesize
64KB

Download
memory/4352-46-0x000001C477920000-0x000001C477930000-memory.dmp

Filesize
64KB

Download
memory/4352-48-0x00007FFC6CE40000-0x00007FFC6D901000-memory.dmp

Filesize
10.8MB

Download