Malware Analysis Report

2025-08-10 14:57

Sample ID 241112-pelanssenh
Target enablehibernate.bat
SHA256 63a64e1c65a004b8d82bfec86e2b85a69b8377f3386dfc0ec5356483dee55355
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

63a64e1c65a004b8d82bfec86e2b85a69b8377f3386dfc0ec5356483dee55355

Threat Level: Shows suspicious behavior

The file enablehibernate.bat was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Power Settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:14

Reported

2024-11-12 12:15

Platform

win11-20241007-en

Max time kernel

15s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enablehibernate.bat"

Signatures

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2976 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2976 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2976 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enablehibernate.bat"

C:\Windows\system32\powercfg.exe

powercfg /hibernate on

C:\Windows\system32\powercfg.exe

powercfg /hibernate /type full

Network

N/A

Files

N/A