4392461d55c1d6c71b95d8b92b544c8c3260c3e9cfe76f56507b4ac15d8bcad1

Resubmissions

19-04-2024 11:45

240419-nw88dsag38 10

19-04-2024 11:43

240419-nv23pabf2x 3

19-04-2024 10:25

240419-mf6a5agh7t 10

Analysis

max time kernel
92s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D34TH 2.0 .bat
Size

1KB
MD5

8ee9033a02ee6fc3b932b694c1bc631c
SHA1

6d64ea5dadd6d5098342213a1cf354896b8a3963
SHA256

1609a6c649ea074815ce85da21935137e9c79c79a41088a6f7e99a56bd20340d
SHA512

f1735b2a7f4b384cf3a82f17e2834912f04d554350d6a03dd1ff6b55efb161e900ae14bd1c337f40d4692d390a726219c85d3a8df6164bac73e2f5c3d38d6a91

Score

8^/10

discovery evasion

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\volsnap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFRd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\IPMIDRV.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\smbdirect.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBCAMD2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wmilib.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\afd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scfilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmstorfl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Acx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmgid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bthport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dam.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipnat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NdisVirtualBus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tbs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bowser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msisadrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mshidkmdf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\UcmCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cnghwassist.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidi2c.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HyperVideo.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\intelpmax.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbldfltr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wfplwfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sdbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBAUDIO.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthMini.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mup.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\terminpt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpiex.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fs_rec.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\luafv.sys	cmd.exe
File opened for modification	C:\Windows\sysWOW64\drivers\gm.dls	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SerCx2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volsnap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pdc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidparse.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\portcfg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RNDISMP.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbcir.sys	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\wintrust.dll	cmd.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1028	netsh.exe
436	netsh.exe
3544	netsh.exe
3696	netsh.exe
5012	netsh.exe
2856	netsh.exe
4028	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4448	takeown.exe
4212	takeown.exe
2632	takeown.exe
3852	takeown.exe
2760	takeown.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\errdev.inf_amd64_616c5168a5b1807a\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\mycomput.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\wuapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\kdnet_uart16550.dll	cmd.exe
File opened for modification	C:\Windows\System32\MPSSVC.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\es-ES\sxstrace.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\uxtheme.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.Types.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\sens.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\SPACEP~1.INF\spaceport.inf	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\lpr.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PR3CDC~1\ProfessionalWorkstation-Volume-CSVLK-1-ul-oob-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\sysWOW64\iprop.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\cht4vx64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\dot3msm.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Locator.exe	cmd.exe
File opened for modification	C:\Windows\System32\UevAgentPolicyGenerator.exe	cmd.exe
File opened for modification	C:\Windows\System32\pifmgr.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NTPRIN~3.INF\Amd64\STDSCHEM.GDL	cmd.exe
File opened for modification	C:\Windows\System32\rasapi32.dll	cmd.exe
File opened for modification	C:\Windows\System32\twinapi.appcore.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\en-US\wmiprop.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\printui.exe	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\attrib.exe.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\PasswordOnWakeSettingFlyout.exe	cmd.exe
File opened for modification	C:\Windows\sysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterVPort.Format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\ping.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\RpcNs4.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\da-DK\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\vdsdyn.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\adtschema.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\HidCfu.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\es-ES\perfhost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wave.inf_amd64_8e8496aa33c0a7f6\wave.inf	cmd.exe
File opened for modification	C:\Windows\System32\spool\tools\it-IT\PrintBrm.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\UserStateWMIProvider.mof	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\aclui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\WMIsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\tzutil.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\NetworkStatus.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\cewmdm.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\sdcpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\downlevel\API-MS-Win-devices-config-L1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\en-US\wlangpui.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\SettingSyncCore.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\uk-UA\winver.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\Windows.Cortana.Desktop.dll	cmd.exe
File opened for modification	C:\Windows\sysWOW64\en-US\csrsrv.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\mode.com	cmd.exe
File opened for modification	C:\Windows\sysWOW64\spp\tokens\skus\CSVLK-~1\csvlk-pack-Volume-CSVLK-3-ul-oob-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\dmocx.dll	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\diagperf.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\LsaIso.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\SettingsHandlers_Display.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fdprint.dll	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\microsoft-windows-kernel-pnp-events.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ras\pad.inf	cmd.exe
File opened for modification	C:\Windows\System32\mssrch.dll	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\wlansvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\fc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\mprddm.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\it-IT\occache.dll.mui	cmd.exe
File opened for modification	C:\Windows\sysWOW64\it-IT\uicom.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Boot\DVD\PCAT\etfsboot.com	cmd.exe
File opened for modification	C:\Windows\Fonts\85855.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgasysg.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\verdanaz.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\ja-JP\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\phagspa.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\serifee.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\framdit.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\jvgafix.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\fr-FR\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\kd_02_10df.dll	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\sk-SK\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\vga860.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgafixg.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\en-US\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\sere1255.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\SitkaI.ttc	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\zh-TW\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\script.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\consolab.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\holomdl2.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\palabi.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\Fonts\malgun_boot.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\da-DK\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\couri.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\smae1257.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\verdana.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\kdnet_uart16550.dll	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\85s874.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgas1257.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\cga40857.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\couf1256.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\serifet.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\memtest.efi	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\sv-SE\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\verdanab.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\comicbd.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\ega40850.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgasys.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\j8514oem.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\palai.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\segoeui.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\lt-LT\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\es-ES\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\cambriai.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\app852.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\app857.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\couf1255.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\en-GB\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	cmd.exe
File opened for modification	C:\Windows\Fonts\85f1255.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\cga80woa.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\tahomabd.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\de-DE\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\vga861.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vga932.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\8514syst.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\phagspab.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\segoeuisl.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\smaf1256.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\trebucbd.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\lt-LT\bootmgr.efi.mui	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4284	ipconfig.exe
3924	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1648	systeminfo.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1948	taskkill.exe
4400	taskkill.exe
2096	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2848	NOTEPAD.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1248	WMIC.exe
Token: SeSecurityPrivilege	1248	WMIC.exe
Token: SeTakeOwnershipPrivilege	1248	WMIC.exe
Token: SeLoadDriverPrivilege	1248	WMIC.exe
Token: SeSystemProfilePrivilege	1248	WMIC.exe
Token: SeSystemtimePrivilege	1248	WMIC.exe
Token: SeProfSingleProcessPrivilege	1248	WMIC.exe
Token: SeIncBasePriorityPrivilege	1248	WMIC.exe
Token: SeCreatePagefilePrivilege	1248	WMIC.exe
Token: SeBackupPrivilege	1248	WMIC.exe
Token: SeRestorePrivilege	1248	WMIC.exe
Token: SeShutdownPrivilege	1248	WMIC.exe
Token: SeDebugPrivilege	1248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1248	WMIC.exe
Token: SeRemoteShutdownPrivilege	1248	WMIC.exe
Token: SeUndockPrivilege	1248	WMIC.exe
Token: SeManageVolumePrivilege	1248	WMIC.exe
Token: 33	1248	WMIC.exe
Token: 34	1248	WMIC.exe
Token: 35	1248	WMIC.exe
Token: 36	1248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1248	WMIC.exe
Token: SeSecurityPrivilege	1248	WMIC.exe
Token: SeTakeOwnershipPrivilege	1248	WMIC.exe
Token: SeLoadDriverPrivilege	1248	WMIC.exe
Token: SeSystemProfilePrivilege	1248	WMIC.exe
Token: SeSystemtimePrivilege	1248	WMIC.exe
Token: SeProfSingleProcessPrivilege	1248	WMIC.exe
Token: SeIncBasePriorityPrivilege	1248	WMIC.exe
Token: SeCreatePagefilePrivilege	1248	WMIC.exe
Token: SeBackupPrivilege	1248	WMIC.exe
Token: SeRestorePrivilege	1248	WMIC.exe
Token: SeShutdownPrivilege	1248	WMIC.exe
Token: SeDebugPrivilege	1248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1248	WMIC.exe
Token: SeRemoteShutdownPrivilege	1248	WMIC.exe
Token: SeUndockPrivilege	1248	WMIC.exe
Token: SeManageVolumePrivilege	1248	WMIC.exe
Token: 33	1248	WMIC.exe
Token: 34	1248	WMIC.exe
Token: 35	1248	WMIC.exe
Token: 36	1248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe
Token: 34	3952	WMIC.exe
Token: 35	3952	WMIC.exe
Token: 36	3952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 1828	3400	cmd.exe	90
PID 3400 wrote to memory of 1828	3400	cmd.exe	90
PID 3400 wrote to memory of 3824	3400	cmd.exe	91
PID 3400 wrote to memory of 3824	3400	cmd.exe	91
PID 3400 wrote to memory of 4284	3400	cmd.exe	92
PID 3400 wrote to memory of 4284	3400	cmd.exe	92
PID 3400 wrote to memory of 3924	3400	cmd.exe	93
PID 3400 wrote to memory of 3924	3400	cmd.exe	93
PID 3400 wrote to memory of 2220	3400	cmd.exe	94
PID 3400 wrote to memory of 2220	3400	cmd.exe	94
PID 3400 wrote to memory of 1248	3400	cmd.exe	95
PID 3400 wrote to memory of 1248	3400	cmd.exe	95
PID 3400 wrote to memory of 3952	3400	cmd.exe	97
PID 3400 wrote to memory of 3952	3400	cmd.exe	97
PID 3400 wrote to memory of 1648	3400	cmd.exe	98
PID 3400 wrote to memory of 1648	3400	cmd.exe	98
PID 3400 wrote to memory of 2856	3400	cmd.exe	100
PID 3400 wrote to memory of 2856	3400	cmd.exe	100
PID 3400 wrote to memory of 4028	3400	cmd.exe	101
PID 3400 wrote to memory of 4028	3400	cmd.exe	101
PID 3400 wrote to memory of 1028	3400	cmd.exe	102
PID 3400 wrote to memory of 1028	3400	cmd.exe	102
PID 3400 wrote to memory of 436	3400	cmd.exe	103
PID 3400 wrote to memory of 436	3400	cmd.exe	103
PID 3400 wrote to memory of 3544	3400	cmd.exe	104
PID 3400 wrote to memory of 3544	3400	cmd.exe	104
PID 3400 wrote to memory of 3696	3400	cmd.exe	105
PID 3400 wrote to memory of 3696	3400	cmd.exe	105
PID 3400 wrote to memory of 5012	3400	cmd.exe	106
PID 3400 wrote to memory of 5012	3400	cmd.exe	106
PID 3400 wrote to memory of 2848	3400	cmd.exe	107
PID 3400 wrote to memory of 2848	3400	cmd.exe	107
PID 3400 wrote to memory of 4448	3400	cmd.exe	108
PID 3400 wrote to memory of 4448	3400	cmd.exe	108
PID 3400 wrote to memory of 4212	3400	cmd.exe	111
PID 3400 wrote to memory of 4212	3400	cmd.exe	111
PID 3400 wrote to memory of 2632	3400	cmd.exe	112
PID 3400 wrote to memory of 2632	3400	cmd.exe	112
PID 3400 wrote to memory of 3852	3400	cmd.exe	113
PID 3400 wrote to memory of 3852	3400	cmd.exe	113
PID 3400 wrote to memory of 2760	3400	cmd.exe	114
PID 3400 wrote to memory of 2760	3400	cmd.exe	114
PID 3400 wrote to memory of 1508	3400	cmd.exe	115
PID 3400 wrote to memory of 1508	3400	cmd.exe	115
PID 1508 wrote to memory of 2020	1508	net.exe	116
PID 1508 wrote to memory of 2020	1508	net.exe	116
PID 3400 wrote to memory of 2764	3400	cmd.exe	117
PID 3400 wrote to memory of 2764	3400	cmd.exe	117
PID 2764 wrote to memory of 1236	2764	net.exe	118
PID 2764 wrote to memory of 1236	2764	net.exe	118
PID 3400 wrote to memory of 1948	3400	cmd.exe	119
PID 3400 wrote to memory of 1948	3400	cmd.exe	119
PID 3400 wrote to memory of 4400	3400	cmd.exe	120
PID 3400 wrote to memory of 4400	3400	cmd.exe	120
PID 3400 wrote to memory of 2096	3400	cmd.exe	121
PID 3400 wrote to memory of 2096	3400	cmd.exe	121

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\D34TH 2.0 .bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\system32\nslookup.exe
  nslookup myip.opendns.com resolver1.opendns.com
  2⤵
  PID:1828
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:3824
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:4284
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3924
- C:\Windows\system32\find.exe
  find /i "IPv4"
  2⤵
  PID:2220
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1648
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:2856
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=DISABLE
  2⤵
  - Modifies Windows Firewall
  PID:4028
- C:\Windows\system32\netsh.exe
  netsh advfirewall set currentprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:1028
- C:\Windows\system32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:436
- C:\Windows\system32\netsh.exe
  netsh advfirewall set privateprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3544
- C:\Windows\system32\netsh.exe
  netsh advfirewall set publicprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3696
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:5012
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\F.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2848
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32
  2⤵
  - Modifies file permissions
  PID:4448
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System
  2⤵
  - Modifies file permissions
  PID:4212
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\Boot
  2⤵
  - Modifies file permissions
  PID:2632
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\Fonts
  2⤵
  - Modifies file permissions
  PID:3852
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysWOW64
  2⤵
  - Modifies file permissions
  PID:2760
- C:\Windows\system32\net.exe
  net stop "Windows Defender Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Windows Defender Service"
    3⤵
    PID:2020
- C:\Windows\system32\net.exe
  net stop "Windows Firewall"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall"
    3⤵
    PID:1236
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "chrome.exe" /T
  2⤵
  - Kills process with taskkill
  PID:1948
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "firefox.exe" /T
  2⤵
  - Kills process with taskkill
  PID:4400
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "explorer.exe" /T
  2⤵
  - Kills process with taskkill
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F.log

Filesize
2KB

MD5
8741a36e9619f98bb4baa86c9c36a729

SHA1
ed3f938d6655e009980cf3955545d90e743975c9

SHA256
0760e7c888d1c427d02a6baf57f2e84f9924a3462a4e465ea3d2f0c0961a0b1d

SHA512
efb7a8317d642c2eaad5b25d4a001504066f3bbdc668e0e1057dc3b7b1dacbe8d433c4b4b0c15753ea882db8c188c6b30765ff1b7b8c87270758bcadf0909f70

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads