2d2da6c9e5056f5297d34b136d36f0d41716431ac10b9b03914f3bc8d69dc60d

Analysis

max time kernel
18s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOScript V1.35 Optimization Program.bat
Size

15KB
MD5

f72501a2238ea286b58a884955715a79
SHA1

ba9f337268e43c39a3905514cb2c63cacb4b2b93
SHA256

2d2da6c9e5056f5297d34b136d36f0d41716431ac10b9b03914f3bc8d69dc60d
SHA512

06fc4c62adc04502fd67f1eb93d538f394984a39b0e35c855e867ce3e5d817b4f5ffc591d57c1b1fa84b16160af082e35eb8f6782b98b11cd30e003d5d342ddf
SSDEEP

384:F29388dPX4v4K39lSknNX9Fpa0/Lc/27YV:jI

Score

3^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3080	netsh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe
Token: 33	4720	WMIC.exe
Token: 34	4720	WMIC.exe
Token: 35	4720	WMIC.exe
Token: 36	4720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe
Token: 33	4720	WMIC.exe
Token: 34	4720	WMIC.exe
Token: 35	4720	WMIC.exe
Token: 36	4720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe
Token: SeSecurityPrivilege	4720	WMIC.exe
Token: SeTakeOwnershipPrivilege	4720	WMIC.exe
Token: SeLoadDriverPrivilege	4720	WMIC.exe
Token: SeSystemProfilePrivilege	4720	WMIC.exe
Token: SeSystemtimePrivilege	4720	WMIC.exe
Token: SeProfSingleProcessPrivilege	4720	WMIC.exe
Token: SeIncBasePriorityPrivilege	4720	WMIC.exe
Token: SeCreatePagefilePrivilege	4720	WMIC.exe
Token: SeBackupPrivilege	4720	WMIC.exe
Token: SeRestorePrivilege	4720	WMIC.exe
Token: SeShutdownPrivilege	4720	WMIC.exe
Token: SeDebugPrivilege	4720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4720	WMIC.exe
Token: SeRemoteShutdownPrivilege	4720	WMIC.exe
Token: SeUndockPrivilege	4720	WMIC.exe
Token: SeManageVolumePrivilege	4720	WMIC.exe
Token: 33	4720	WMIC.exe
Token: 34	4720	WMIC.exe
Token: 35	4720	WMIC.exe
Token: 36	4720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4720	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4748	4760	cmd.exe	83
PID 4760 wrote to memory of 4748	4760	cmd.exe	83
PID 4748 wrote to memory of 4720	4748	cmd.exe	84
PID 4748 wrote to memory of 4720	4748	cmd.exe	84
PID 4748 wrote to memory of 2504	4748	cmd.exe	85
PID 4748 wrote to memory of 2504	4748	cmd.exe	85
PID 4760 wrote to memory of 1092	4760	cmd.exe	90
PID 4760 wrote to memory of 1092	4760	cmd.exe	90
PID 4760 wrote to memory of 3876	4760	cmd.exe	91
PID 4760 wrote to memory of 3876	4760	cmd.exe	91
PID 4760 wrote to memory of 3820	4760	cmd.exe	92
PID 4760 wrote to memory of 3820	4760	cmd.exe	92
PID 4760 wrote to memory of 4980	4760	cmd.exe	93
PID 4760 wrote to memory of 4980	4760	cmd.exe	93
PID 4760 wrote to memory of 4360	4760	cmd.exe	94
PID 4760 wrote to memory of 4360	4760	cmd.exe	94
PID 4760 wrote to memory of 1212	4760	cmd.exe	95
PID 4760 wrote to memory of 1212	4760	cmd.exe	95
PID 4760 wrote to memory of 4092	4760	cmd.exe	96
PID 4760 wrote to memory of 4092	4760	cmd.exe	96
PID 4760 wrote to memory of 3080	4760	cmd.exe	97
PID 4760 wrote to memory of 3080	4760	cmd.exe	97
PID 4760 wrote to memory of 1472	4760	cmd.exe	98
PID 4760 wrote to memory of 1472	4760	cmd.exe	98
PID 4760 wrote to memory of 3676	4760	cmd.exe	99
PID 4760 wrote to memory of 3676	4760	cmd.exe	99
PID 4760 wrote to memory of 1188	4760	cmd.exe	100
PID 4760 wrote to memory of 1188	4760	cmd.exe	100
PID 4760 wrote to memory of 2000	4760	cmd.exe	101
PID 4760 wrote to memory of 2000	4760	cmd.exe	101
PID 4760 wrote to memory of 2096	4760	cmd.exe	102
PID 4760 wrote to memory of 2096	4760	cmd.exe	102
PID 4760 wrote to memory of 3872	4760	cmd.exe	103
PID 4760 wrote to memory of 3872	4760	cmd.exe	103
PID 4760 wrote to memory of 3956	4760	cmd.exe	104
PID 4760 wrote to memory of 3956	4760	cmd.exe	104
PID 4760 wrote to memory of 4048	4760	cmd.exe	105
PID 4760 wrote to memory of 4048	4760	cmd.exe	105
PID 4760 wrote to memory of 3096	4760	cmd.exe	106
PID 4760 wrote to memory of 3096	4760	cmd.exe	106
PID 4760 wrote to memory of 696	4760	cmd.exe	107
PID 4760 wrote to memory of 696	4760	cmd.exe	107
PID 4760 wrote to memory of 2040	4760	cmd.exe	108
PID 4760 wrote to memory of 2040	4760	cmd.exe	108
PID 4760 wrote to memory of 1504	4760	cmd.exe	109
PID 4760 wrote to memory of 1504	4760	cmd.exe	109
PID 4760 wrote to memory of 4520	4760	cmd.exe	110
PID 4760 wrote to memory of 4520	4760	cmd.exe	110
PID 4760 wrote to memory of 4268	4760	cmd.exe	111
PID 4760 wrote to memory of 4268	4760	cmd.exe	111
PID 4760 wrote to memory of 3748	4760	cmd.exe	112
PID 4760 wrote to memory of 3748	4760	cmd.exe	112
PID 4760 wrote to memory of 2200	4760	cmd.exe	113
PID 4760 wrote to memory of 2200	4760	cmd.exe	113
PID 4760 wrote to memory of 2404	4760	cmd.exe	114
PID 4760 wrote to memory of 2404	4760	cmd.exe	114
PID 4760 wrote to memory of 3300	4760	cmd.exe	115
PID 4760 wrote to memory of 3300	4760	cmd.exe	115
PID 4760 wrote to memory of 4768	4760	cmd.exe	116
PID 4760 wrote to memory of 4768	4760	cmd.exe	116
PID 4760 wrote to memory of 2328	4760	cmd.exe	117
PID 4760 wrote to memory of 2328	4760	cmd.exe	117
PID 4760 wrote to memory of 4748	4760	cmd.exe	83
PID 4760 wrote to memory of 4748	4760	cmd.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NOScript V1.35 Optimization Program.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where "NetEnabled=true" get NetConnectionID,NetEnabled /format:csv | find /i "true"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where "NetEnabled=true" get NetConnectionID,NetEnabled /format:csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\system32\find.exe
    find /i "true"
    3⤵
    PID:2504
- C:\Windows\system32\netsh.exe
  netsh interface ip set global taskoffload=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1092
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global chimney=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3876
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global rss=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3820
- C:\Windows\system32\netsh.exe
  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4980
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global autotuninglevel=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4360
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global congestionprovider=ctcp
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1212
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global ecncapability=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4092
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global timestamps=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Time Discovery
  PID:3080
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global dca=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1472
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global netdma=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3676
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global rsc=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1188
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global fastopen=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2000
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global initialRto=300ms
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2096
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global minRto=300ms
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3872
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global maxsynRetransmissions=2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3956
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global maxconnections=65535
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4048
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global dynamicport start=1025 num=64511
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3096
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global maxuserport=65534
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:696
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global sackopts=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2040
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global synattackprotect=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1504
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global initialCongestionControlLevel=1
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4520
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global initialCongestionWindow=2
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4268
- C:\Windows\system32\netsh.exe
  netsh interface tcp set global nonlocalsource=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3748
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TcpAckFrequency /t REG_DWORD /d 1 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters" /v TCPNoDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:3300
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched" /v NonBestEffortLimit /t REG_DWORD /d 0 /f
  2⤵
  PID:4768
- C:\Windows\system32\netsh.exe
  netsh interface set interface "Ethernet" admin=disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads