Analysis
-
max time kernel
15s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/11/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
enablehibernate.bat
Resource
win11-20241007-en
3 signatures
150 seconds
General
-
Target
enablehibernate.bat
-
Size
122B
-
MD5
bb2606348eab4a000e493b9b7de7fe0d
-
SHA1
9ad7caeb00231d541a79398421cf048d7cbbfedf
-
SHA256
63a64e1c65a004b8d82bfec86e2b85a69b8377f3386dfc0ec5356483dee55355
-
SHA512
8d867822f569285b0db9657f0f97cb0eba148d598324f34c5893153f95bf6569df7ed6c9f897aff35277404685008720893a86efdb7d168048b11d6a62bafdfa
Score
6/10
Malware Config
Signatures
-
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3804 powercfg.exe 3128 powercfg.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3804 powercfg.exe Token: SeCreatePagefilePrivilege 3804 powercfg.exe Token: SeShutdownPrivilege 3804 powercfg.exe Token: SeCreatePagefilePrivilege 3804 powercfg.exe Token: SeShutdownPrivilege 3128 powercfg.exe Token: SeCreatePagefilePrivilege 3128 powercfg.exe Token: SeShutdownPrivilege 3128 powercfg.exe Token: SeCreatePagefilePrivilege 3128 powercfg.exe Token: SeShutdownPrivilege 3128 powercfg.exe Token: SeCreatePagefilePrivilege 3128 powercfg.exe Token: SeShutdownPrivilege 3128 powercfg.exe Token: SeCreatePagefilePrivilege 3128 powercfg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3804 2976 cmd.exe 80 PID 2976 wrote to memory of 3804 2976 cmd.exe 80 PID 2976 wrote to memory of 3128 2976 cmd.exe 81 PID 2976 wrote to memory of 3128 2976 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enablehibernate.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\powercfg.exepowercfg /hibernate on2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\system32\powercfg.exepowercfg /hibernate /type full2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3128
-