Analysis Overview
score
6/10
SHA256
63a64e1c65a004b8d82bfec86e2b85a69b8377f3386dfc0ec5356483dee55355
Threat Level: Shows suspicious behavior
The file enablehibernate.bat was found to be: Shows suspicious behavior.
Malicious Activity Summary
Power Settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 12:14
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 12:14
Reported
2024-11-12 12:15
Platform
win11-20241007-en
Max time kernel
15s
Command Line
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enablehibernate.bat"
Signatures
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 3804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\powercfg.exe |
| PID 2976 wrote to memory of 3804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\powercfg.exe |
| PID 2976 wrote to memory of 3128 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\powercfg.exe |
| PID 2976 wrote to memory of 3128 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\powercfg.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\enablehibernate.bat"
C:\Windows\system32\powercfg.exe
powercfg /hibernate on
C:\Windows\system32\powercfg.exe
powercfg /hibernate /type full
Network
N/A
Files
N/A