1398040f2bc658281e60c22f07f6b27a57499f4692af547d56e360334efde22d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lifenz utility tweak private.bat
Size

243KB
MD5

a38c931542f83c5593b7db0ad318bb3e
SHA1

fde8e7f2d9e7423c08e2231e975b64403a4f40ea
SHA256

1398040f2bc658281e60c22f07f6b27a57499f4692af547d56e360334efde22d
SHA512

b7c29ca20e75ecd93d73085d83d23c422c44b7f378a226b6ebda8a6735a18d8ea2ea0d89a1c963f74f750e022e666c6d426f9c64b5e9334e1b7fe900ec22fe75
SSDEEP

1536:J8HHksY/fjXmamnUk01vmeAkEsDmnUk01tr1edkvC6cM/rwdrwbW+mEWm:WksTswZq6Y

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2460	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1220	2632	cmd.exe	32
PID 2632 wrote to memory of 1220	2632	cmd.exe	32
PID 2632 wrote to memory of 1220	2632	cmd.exe	32
PID 2632 wrote to memory of 2964	2632	cmd.exe	33
PID 2632 wrote to memory of 2964	2632	cmd.exe	33
PID 2632 wrote to memory of 2964	2632	cmd.exe	33
PID 2632 wrote to memory of 2460	2632	cmd.exe	34
PID 2632 wrote to memory of 2460	2632	cmd.exe	34
PID 2632 wrote to memory of 2460	2632	cmd.exe	34
PID 2632 wrote to memory of 2328	2632	cmd.exe	35
PID 2632 wrote to memory of 2328	2632	cmd.exe	35
PID 2632 wrote to memory of 2328	2632	cmd.exe	35
PID 2632 wrote to memory of 2444	2632	cmd.exe	36
PID 2632 wrote to memory of 2444	2632	cmd.exe	36
PID 2632 wrote to memory of 2444	2632	cmd.exe	36
PID 2444 wrote to memory of 2520	2444	cmd.exe	37
PID 2444 wrote to memory of 2520	2444	cmd.exe	37
PID 2444 wrote to memory of 2520	2444	cmd.exe	37
PID 2444 wrote to memory of 1112	2444	cmd.exe	38
PID 2444 wrote to memory of 1112	2444	cmd.exe	38
PID 2444 wrote to memory of 1112	2444	cmd.exe	38
PID 2632 wrote to memory of 2732	2632	cmd.exe	40
PID 2632 wrote to memory of 2732	2632	cmd.exe	40
PID 2632 wrote to memory of 2732	2632	cmd.exe	40
PID 2632 wrote to memory of 2748	2632	cmd.exe	41
PID 2632 wrote to memory of 2748	2632	cmd.exe	41
PID 2632 wrote to memory of 2748	2632	cmd.exe	41
PID 2632 wrote to memory of 1956	2632	cmd.exe	43
PID 2632 wrote to memory of 1956	2632	cmd.exe	43
PID 2632 wrote to memory of 1956	2632	cmd.exe	43
PID 2632 wrote to memory of 2804	2632	cmd.exe	44
PID 2632 wrote to memory of 2804	2632	cmd.exe	44
PID 2632 wrote to memory of 2804	2632	cmd.exe	44
PID 2632 wrote to memory of 2772	2632	cmd.exe	45
PID 2632 wrote to memory of 2772	2632	cmd.exe	45
PID 2632 wrote to memory of 2772	2632	cmd.exe	45
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lifenz utility tweak private.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:1220
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2964
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2460
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:1112
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2772
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-4-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2748-5-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download