564f08ca2ad008e85407528f04e39b3087f53443c774be0898be735813d91f18

Analysis

max time kernel
1s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/12/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mac.bat
Size

2KB
MD5

86630f471a1c7f40e8494347f9ab8249
SHA1

10a2139adfb884f01799de89bf9b9ccb2a8bb460
SHA256

c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c
SHA512

666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Score

3^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe
Token: SeSecurityPrivilege	4884	WMIC.exe
Token: SeTakeOwnershipPrivilege	4884	WMIC.exe
Token: SeLoadDriverPrivilege	4884	WMIC.exe
Token: SeSystemProfilePrivilege	4884	WMIC.exe
Token: SeSystemtimePrivilege	4884	WMIC.exe
Token: SeProfSingleProcessPrivilege	4884	WMIC.exe
Token: SeIncBasePriorityPrivilege	4884	WMIC.exe
Token: SeCreatePagefilePrivilege	4884	WMIC.exe
Token: SeBackupPrivilege	4884	WMIC.exe
Token: SeRestorePrivilege	4884	WMIC.exe
Token: SeShutdownPrivilege	4884	WMIC.exe
Token: SeDebugPrivilege	4884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4884	WMIC.exe
Token: SeRemoteShutdownPrivilege	4884	WMIC.exe
Token: SeUndockPrivilege	4884	WMIC.exe
Token: SeManageVolumePrivilege	4884	WMIC.exe
Token: 33	4884	WMIC.exe
Token: 34	4884	WMIC.exe
Token: 35	4884	WMIC.exe
Token: 36	4884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe
Token: SeSecurityPrivilege	4884	WMIC.exe
Token: SeTakeOwnershipPrivilege	4884	WMIC.exe
Token: SeLoadDriverPrivilege	4884	WMIC.exe
Token: SeSystemProfilePrivilege	4884	WMIC.exe
Token: SeSystemtimePrivilege	4884	WMIC.exe
Token: SeProfSingleProcessPrivilege	4884	WMIC.exe
Token: SeIncBasePriorityPrivilege	4884	WMIC.exe
Token: SeCreatePagefilePrivilege	4884	WMIC.exe
Token: SeBackupPrivilege	4884	WMIC.exe
Token: SeRestorePrivilege	4884	WMIC.exe
Token: SeShutdownPrivilege	4884	WMIC.exe
Token: SeDebugPrivilege	4884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4884	WMIC.exe
Token: SeRemoteShutdownPrivilege	4884	WMIC.exe
Token: SeUndockPrivilege	4884	WMIC.exe
Token: SeManageVolumePrivilege	4884	WMIC.exe
Token: 33	4884	WMIC.exe
Token: 34	4884	WMIC.exe
Token: 35	4884	WMIC.exe
Token: 36	4884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: 36	1604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 336	1744	cmd.exe	79
PID 1744 wrote to memory of 336	1744	cmd.exe	79
PID 336 wrote to memory of 4884	336	cmd.exe	80
PID 336 wrote to memory of 4884	336	cmd.exe	80
PID 336 wrote to memory of 1840	336	cmd.exe	81
PID 336 wrote to memory of 1840	336	cmd.exe	81
PID 1744 wrote to memory of 4624	1744	cmd.exe	83
PID 1744 wrote to memory of 4624	1744	cmd.exe	83
PID 1744 wrote to memory of 4216	1744	cmd.exe	84
PID 1744 wrote to memory of 4216	1744	cmd.exe	84
PID 1744 wrote to memory of 3916	1744	cmd.exe	85
PID 1744 wrote to memory of 3916	1744	cmd.exe	85
PID 1744 wrote to memory of 2136	1744	cmd.exe	86
PID 1744 wrote to memory of 2136	1744	cmd.exe	86
PID 1744 wrote to memory of 3172	1744	cmd.exe	87
PID 1744 wrote to memory of 3172	1744	cmd.exe	87
PID 3172 wrote to memory of 1604	3172	cmd.exe	88
PID 3172 wrote to memory of 1604	3172	cmd.exe	88
PID 3172 wrote to memory of 1960	3172	cmd.exe	89
PID 3172 wrote to memory of 1960	3172	cmd.exe	89
PID 1744 wrote to memory of 3332	1744	cmd.exe	90
PID 1744 wrote to memory of 3332	1744	cmd.exe	90
PID 1744 wrote to memory of 4200	1744	cmd.exe	91
PID 1744 wrote to memory of 4200	1744	cmd.exe	91
PID 1744 wrote to memory of 1664	1744	cmd.exe	92
PID 1744 wrote to memory of 1664	1744	cmd.exe	92
PID 1744 wrote to memory of 2780	1744	cmd.exe	93
PID 1744 wrote to memory of 2780	1744	cmd.exe	93
PID 1744 wrote to memory of 2768	1744	cmd.exe	94
PID 1744 wrote to memory of 2768	1744	cmd.exe	94
PID 2768 wrote to memory of 2960	2768	cmd.exe	95
PID 2768 wrote to memory of 2960	2768	cmd.exe	95
PID 1744 wrote to memory of 2360	1744	cmd.exe	96
PID 1744 wrote to memory of 2360	1744	cmd.exe	96
PID 1744 wrote to memory of 336	1744	cmd.exe	79
PID 1744 wrote to memory of 336	1744	cmd.exe	79
PID 336 wrote to memory of 4884	336	cmd.exe	80
PID 336 wrote to memory of 4884	336	cmd.exe	80
PID 336 wrote to memory of 1840	336	cmd.exe	81
PID 336 wrote to memory of 1840	336	cmd.exe	81
PID 1744 wrote to memory of 4624	1744	cmd.exe	83
PID 1744 wrote to memory of 4624	1744	cmd.exe	83
PID 1744 wrote to memory of 4216	1744	cmd.exe	84
PID 1744 wrote to memory of 4216	1744	cmd.exe	84
PID 1744 wrote to memory of 3916	1744	cmd.exe	85
PID 1744 wrote to memory of 3916	1744	cmd.exe	85
PID 1744 wrote to memory of 2136	1744	cmd.exe	86
PID 1744 wrote to memory of 2136	1744	cmd.exe	86
PID 1744 wrote to memory of 3172	1744	cmd.exe	87
PID 1744 wrote to memory of 3172	1744	cmd.exe	87
PID 3172 wrote to memory of 1604	3172	cmd.exe	88
PID 3172 wrote to memory of 1604	3172	cmd.exe	88
PID 3172 wrote to memory of 1960	3172	cmd.exe	89
PID 3172 wrote to memory of 1960	3172	cmd.exe	89
PID 1744 wrote to memory of 3332	1744	cmd.exe	90
PID 1744 wrote to memory of 3332	1744	cmd.exe	90
PID 1744 wrote to memory of 4200	1744	cmd.exe	91
PID 1744 wrote to memory of 4200	1744	cmd.exe	91
PID 1744 wrote to memory of 1664	1744	cmd.exe	92
PID 1744 wrote to memory of 1664	1744	cmd.exe	92
PID 1744 wrote to memory of 2780	1744	cmd.exe	93
PID 1744 wrote to memory of 2780	1744	cmd.exe	93
PID 1744 wrote to memory of 2768	1744	cmd.exe	94
PID 1744 wrote to memory of 2768	1744	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mac.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:1840
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:4624
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:4216
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:3916
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 0AD7ABFC9963 /f
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:1960
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:3332
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:4200
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
    3⤵
    PID:2960
- C:\Windows\system32\netsh.exe
  netsh interface set interface name="Ethernet" disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads