298d0085347d70e634a5d8d8487d067666ef8bf25808e7605d860187502f016a

Analysis

max time kernel
40s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2024, 15:37

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T15:38:42Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_8-dirty.qcow2\"}"

Report Analysis Logs

General

Target

D34TH 3.0.bat
Size

1KB
MD5

0f4eb5ba6b7652249cd6f8925cab247f
SHA1

6c5174b3f1b62def3d9ca4da34332a812a6a9db4
SHA256

298d0085347d70e634a5d8d8487d067666ef8bf25808e7605d860187502f016a
SHA512

6b97c3d147a540fc4ab92dcf0bbce8fdaf75dc2ff4680b63ef17a338a8b1e36676b5f3a1fe46a8e8f453bf915fa1ae064aef703ab3b13fe1c45adfa958484788

Score

8^/10

discovery evasion

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\scmbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspqm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndisuio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ntosext.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\AppVStrm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\battc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidbatt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ahcache.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbdhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SleepStudyHelper.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\smbdirect.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bindflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refsv1.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kdnic.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WifiCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\hidclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vmbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storufs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\CAD.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iagpio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\serial.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmTcpciCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NDKPerf.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SgrmAgent.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\appid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\csc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dfsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\acpi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthHfEnum.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\spaceparser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nvmedisk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iorate.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scmbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\UsbXhciCompanion.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\agilevpn.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npsvctrig.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nvmedisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\xinputhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\EhStorPwdDrv.dll	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3484	netsh.exe
4028	netsh.exe
1776	netsh.exe
2724	netsh.exe
224	netsh.exe
3092	netsh.exe
4556	netsh.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4528	takeown.exe
416	takeown.exe
5024	takeown.exe
4700	takeown.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\en-US\qwinsta.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\eu-ES\fms.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\tr-TR\Windows.Management.SecureAssessment.Diagnostics.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\yk63x64.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\dimsroam.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\dsprov.mof	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_943d027daaa73255\mdmelsa.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\USB4DE~1.INF\Usb4DeviceRouter.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\hdwwiz.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\netlogon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\rsop.msc	cmd.exe
File opened for modification	C:\Windows\System32\AppXDeploymentExtensions.onecore.dll	cmd.exe
File opened for modification	C:\Windows\System32\cmstplua.dll	cmd.exe
File opened for modification	C:\Windows\System32\dmcsps.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BRANCH~1\BranchCacheNetworkSettingData.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI34FE~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\fi-FI\WWAHost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\KeyCredMgr.dll	cmd.exe
File opened for modification	C:\Windows\System32\Speech_OneCore\common\SpeechServiceWinRTApi.ProxyStub.dll	cmd.exe
File opened for modification	C:\Windows\System32\fingerprintcredential.dll	cmd.exe
File opened for modification	C:\Windows\System32\Spectrum.exe	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Retail-5-ul-phn-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\SERVER~1\DefaultPpd-ServerRdsh-ppdlic.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Windows.UI.CredDialogController.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\TCPIP-Replacement.man	cmd.exe
File opened for modification	C:\Windows\System32\PeopleAPIs.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\system.mfl	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\wfascim.mfl	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Storage\StoragePool.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameport.inf_amd64_a04a1b0aa2ff0369\gameport.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\whyperkbd.inf_amd64_2ffda32b4e34c47a\hyperkbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\tdhres.dll	cmd.exe
File opened for modification	C:\Windows\System32\SmartCardSimulator.dll	cmd.exe
File opened for modification	C:\Windows\System32\sxproxy.dll	cmd.exe
File opened for modification	C:\Windows\System32\usp10.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\storufs.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\aadcloudap.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\fltMC.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\inlineUi.xsd	cmd.exe
File opened for modification	C:\Windows\System32\dui70.dll	cmd.exe
File opened for modification	C:\Windows\System32\Hydrogen\BAKEDP~1\Physics\presetbodyqualitydynamic.hbakedbodyquality	cmd.exe
File opened for modification	C:\Windows\System32\KBDSL.DLL	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\EDUCAT~1\DefaultPpd-Education-ppdlic.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Ribbons.scr.mui	cmd.exe
File opened for modification	C:\Windows\System32\oobe\en-US\winsetup.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\rdpinit.exe	cmd.exe
File opened for modification	C:\Windows\System32\kbdnecnt.dll	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\WCF-HTTP-Activation-Replacement.man	cmd.exe
File opened for modification	C:\Windows\System32\wbem\fdWSD.mof	cmd.exe
File opened for modification	C:\Windows\System32\Windows.StateRepositoryPS.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeam.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wvmbus.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\vdsvd.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-CA\comctl32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\rpchttp.dll	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\CSVLK-~1\csvlk-pack-Volume-CSVLK-10-pl-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\en-US\devmgmt.msc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\LicensingUI.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\PrintWSDAHost.dll	cmd.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-core-version-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\mshtmled.dll	cmd.exe
File opened for modification	C:\Windows\System32\RestartNowPower_80.contrast-black.png	cmd.exe
File opened for modification	C:\Windows\System32\AppVClientPS.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETATH~2.INF\eeprom_qca9377_1p1_NFA425_olpc_SS_V.bin	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\Speech\speech-synthesis.xsd	cmd.exe
File opened for modification	C:\Windows\Boot\Resources\bootres.dll	cmd.exe
File opened for modification	C:\Windows\Fonts\cga40737.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vga932.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\kdstub.dll	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\el-GR\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\vgaf1257.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\es-MX\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\kd_0C_8086.dll	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-CA\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\vga737.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\ro-RO\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\ro-RO\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\Candaraz.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\segoeuil.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\bootmgfw.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\pl-PL\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\constanb.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\sseriff.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\arialbi.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\ariblk.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\8514sysg.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\segoeuii.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\nl-NL\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\zh-TW\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\8514oem.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\Inkfree.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\it-IT\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\nl-NL\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\ega80850.fon	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\it-IT\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\courft.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\ru-RU\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\cga40852.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\seguisbi.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\ariali.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\vgafixt.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\sserifee.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgasysr.fon	cmd.exe
File opened for modification	C:\Windows\Fonts	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\qps-ploc\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\SegoeIcons.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\seguibli.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\ssee874.fon	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\sk-SK\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\micross.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\mmrtextb.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\georgia.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\serifee.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\vgas874.fon	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\sv-SE\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\arialbd.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\courer.fon	cmd.exe
File opened for modification	C:\Windows\Fonts\fms_metadata.xml	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\pl-PL\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\SitkaVF-Italic.ttf	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\ko-KR\bootmgr.exe.mui	cmd.exe
File opened for modification	C:\Windows\Fonts\courbd.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\msyhl.ttc	cmd.exe
File opened for modification	C:\Windows\Fonts\arial.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\corbelli.ttf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
660	ipconfig.exe
4204	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3348	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1604	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4784	WMIC.exe
Token: SeSecurityPrivilege	4784	WMIC.exe
Token: SeTakeOwnershipPrivilege	4784	WMIC.exe
Token: SeLoadDriverPrivilege	4784	WMIC.exe
Token: SeSystemProfilePrivilege	4784	WMIC.exe
Token: SeSystemtimePrivilege	4784	WMIC.exe
Token: SeProfSingleProcessPrivilege	4784	WMIC.exe
Token: SeIncBasePriorityPrivilege	4784	WMIC.exe
Token: SeCreatePagefilePrivilege	4784	WMIC.exe
Token: SeBackupPrivilege	4784	WMIC.exe
Token: SeRestorePrivilege	4784	WMIC.exe
Token: SeShutdownPrivilege	4784	WMIC.exe
Token: SeDebugPrivilege	4784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4784	WMIC.exe
Token: SeRemoteShutdownPrivilege	4784	WMIC.exe
Token: SeUndockPrivilege	4784	WMIC.exe
Token: SeManageVolumePrivilege	4784	WMIC.exe
Token: 33	4784	WMIC.exe
Token: 34	4784	WMIC.exe
Token: 35	4784	WMIC.exe
Token: 36	4784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4784	WMIC.exe
Token: SeSecurityPrivilege	4784	WMIC.exe
Token: SeTakeOwnershipPrivilege	4784	WMIC.exe
Token: SeLoadDriverPrivilege	4784	WMIC.exe
Token: SeSystemProfilePrivilege	4784	WMIC.exe
Token: SeSystemtimePrivilege	4784	WMIC.exe
Token: SeProfSingleProcessPrivilege	4784	WMIC.exe
Token: SeIncBasePriorityPrivilege	4784	WMIC.exe
Token: SeCreatePagefilePrivilege	4784	WMIC.exe
Token: SeBackupPrivilege	4784	WMIC.exe
Token: SeRestorePrivilege	4784	WMIC.exe
Token: SeShutdownPrivilege	4784	WMIC.exe
Token: SeDebugPrivilege	4784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4784	WMIC.exe
Token: SeRemoteShutdownPrivilege	4784	WMIC.exe
Token: SeUndockPrivilege	4784	WMIC.exe
Token: SeManageVolumePrivilege	4784	WMIC.exe
Token: 33	4784	WMIC.exe
Token: 34	4784	WMIC.exe
Token: 35	4784	WMIC.exe
Token: 36	4784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe
Token: SeSecurityPrivilege	3340	WMIC.exe
Token: SeTakeOwnershipPrivilege	3340	WMIC.exe
Token: SeLoadDriverPrivilege	3340	WMIC.exe
Token: SeSystemProfilePrivilege	3340	WMIC.exe
Token: SeSystemtimePrivilege	3340	WMIC.exe
Token: SeProfSingleProcessPrivilege	3340	WMIC.exe
Token: SeIncBasePriorityPrivilege	3340	WMIC.exe
Token: SeCreatePagefilePrivilege	3340	WMIC.exe
Token: SeBackupPrivilege	3340	WMIC.exe
Token: SeRestorePrivilege	3340	WMIC.exe
Token: SeShutdownPrivilege	3340	WMIC.exe
Token: SeDebugPrivilege	3340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3340	WMIC.exe
Token: SeRemoteShutdownPrivilege	3340	WMIC.exe
Token: SeUndockPrivilege	3340	WMIC.exe
Token: SeManageVolumePrivilege	3340	WMIC.exe
Token: 33	3340	WMIC.exe
Token: 34	3340	WMIC.exe
Token: 35	3340	WMIC.exe
Token: 36	3340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	OpenWith.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 4976	900	cmd.exe	84
PID 900 wrote to memory of 4976	900	cmd.exe	84
PID 900 wrote to memory of 3240	900	cmd.exe	85
PID 900 wrote to memory of 3240	900	cmd.exe	85
PID 900 wrote to memory of 4204	900	cmd.exe	86
PID 900 wrote to memory of 4204	900	cmd.exe	86
PID 900 wrote to memory of 660	900	cmd.exe	87
PID 900 wrote to memory of 660	900	cmd.exe	87
PID 900 wrote to memory of 2964	900	cmd.exe	88
PID 900 wrote to memory of 2964	900	cmd.exe	88
PID 900 wrote to memory of 4784	900	cmd.exe	89
PID 900 wrote to memory of 4784	900	cmd.exe	89
PID 900 wrote to memory of 3340	900	cmd.exe	91
PID 900 wrote to memory of 3340	900	cmd.exe	91
PID 900 wrote to memory of 3348	900	cmd.exe	92
PID 900 wrote to memory of 3348	900	cmd.exe	92
PID 900 wrote to memory of 224	900	cmd.exe	94
PID 900 wrote to memory of 224	900	cmd.exe	94
PID 900 wrote to memory of 3092	900	cmd.exe	95
PID 900 wrote to memory of 3092	900	cmd.exe	95
PID 900 wrote to memory of 4556	900	cmd.exe	96
PID 900 wrote to memory of 4556	900	cmd.exe	96
PID 900 wrote to memory of 3484	900	cmd.exe	97
PID 900 wrote to memory of 3484	900	cmd.exe	97
PID 900 wrote to memory of 4028	900	cmd.exe	98
PID 900 wrote to memory of 4028	900	cmd.exe	98
PID 900 wrote to memory of 1776	900	cmd.exe	99
PID 900 wrote to memory of 1776	900	cmd.exe	99
PID 900 wrote to memory of 2724	900	cmd.exe	100
PID 900 wrote to memory of 2724	900	cmd.exe	100
PID 900 wrote to memory of 4528	900	cmd.exe	102
PID 900 wrote to memory of 4528	900	cmd.exe	102
PID 900 wrote to memory of 416	900	cmd.exe	103
PID 900 wrote to memory of 416	900	cmd.exe	103
PID 900 wrote to memory of 5024	900	cmd.exe	104
PID 900 wrote to memory of 5024	900	cmd.exe	104
PID 900 wrote to memory of 4700	900	cmd.exe	105
PID 900 wrote to memory of 4700	900	cmd.exe	105
PID 900 wrote to memory of 1604	900	cmd.exe	106
PID 900 wrote to memory of 1604	900	cmd.exe	106

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\D34TH 3.0.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\nslookup.exe
  nslookup myip.opendns.com resolver1.opendns.com
  2⤵
  PID:4976
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  PID:3240
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:4204
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:660
- C:\Windows\system32\find.exe
  find /i "IPv4"
  2⤵
  PID:2964
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3348
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:224
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=DISABLE
  2⤵
  - Modifies Windows Firewall
  PID:3092
- C:\Windows\system32\netsh.exe
  netsh advfirewall set currentprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:4556
- C:\Windows\system32\netsh.exe
  netsh advfirewall set domainprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:3484
- C:\Windows\system32\netsh.exe
  netsh advfirewall set privateprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:4028
- C:\Windows\system32\netsh.exe
  netsh advfirewall set publicprofile state off
  2⤵
  - Modifies Windows Firewall
  PID:1776
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:2724
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32
  2⤵
  - Modifies file permissions
  PID:4528
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System
  2⤵
  - Modifies file permissions
  PID:416
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\Boot
  2⤵
  - Modifies file permissions
  PID:5024
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\Fonts
  2⤵
  - Modifies file permissions
  PID:4700
- C:\Windows\system32\taskkill.exe
  taskkill /f /im svchost.exe
  2⤵
  - Kills process with taskkill
  PID:1604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1668