Analysis
-
max time kernel
1000s -
max time network
1101s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 05:30
Behavioral task
behavioral1
Sample
lxJWhxw.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
1200 seconds
Behavioral task
behavioral2
Sample
lxJWhxw.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
31 signatures
1200 seconds
Behavioral task
behavioral3
Sample
serial_checker_hwids.bat
Resource
win7-20220812-en
windows7-x64
2 signatures
1200 seconds
Behavioral task
behavioral4
Sample
serial_checker_hwids.bat
Resource
win10v2004-20220901-en
windows10-2004-x64
2 signatures
1200 seconds
General
-
Target
serial_checker_hwids.bat
-
Size
314B
-
MD5
875694edd1569a7a9743e464d4c30f5d
-
SHA1
6bbf0f4df1ca90b30b5667252f08f79aae1deb63
-
SHA256
252fa4f2391ef928701e3984a55c8526258276b4e993f5f6a564756d3a7988d9
-
SHA512
2a45b4a4fa6030e157fd83512cc115c75ca22929b63b69c40753a861cfd5994d8e75a944cf1ccc8d760ce9a2f91984e9d4cf41ad0ea536d81c989d9264eeedad
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1876 WMIC.exe Token: SeSecurityPrivilege 1876 WMIC.exe Token: SeTakeOwnershipPrivilege 1876 WMIC.exe Token: SeLoadDriverPrivilege 1876 WMIC.exe Token: SeSystemProfilePrivilege 1876 WMIC.exe Token: SeSystemtimePrivilege 1876 WMIC.exe Token: SeProfSingleProcessPrivilege 1876 WMIC.exe Token: SeIncBasePriorityPrivilege 1876 WMIC.exe Token: SeCreatePagefilePrivilege 1876 WMIC.exe Token: SeBackupPrivilege 1876 WMIC.exe Token: SeRestorePrivilege 1876 WMIC.exe Token: SeShutdownPrivilege 1876 WMIC.exe Token: SeDebugPrivilege 1876 WMIC.exe Token: SeSystemEnvironmentPrivilege 1876 WMIC.exe Token: SeRemoteShutdownPrivilege 1876 WMIC.exe Token: SeUndockPrivilege 1876 WMIC.exe Token: SeManageVolumePrivilege 1876 WMIC.exe Token: 33 1876 WMIC.exe Token: 34 1876 WMIC.exe Token: 35 1876 WMIC.exe Token: 36 1876 WMIC.exe Token: SeIncreaseQuotaPrivilege 1876 WMIC.exe Token: SeSecurityPrivilege 1876 WMIC.exe Token: SeTakeOwnershipPrivilege 1876 WMIC.exe Token: SeLoadDriverPrivilege 1876 WMIC.exe Token: SeSystemProfilePrivilege 1876 WMIC.exe Token: SeSystemtimePrivilege 1876 WMIC.exe Token: SeProfSingleProcessPrivilege 1876 WMIC.exe Token: SeIncBasePriorityPrivilege 1876 WMIC.exe Token: SeCreatePagefilePrivilege 1876 WMIC.exe Token: SeBackupPrivilege 1876 WMIC.exe Token: SeRestorePrivilege 1876 WMIC.exe Token: SeShutdownPrivilege 1876 WMIC.exe Token: SeDebugPrivilege 1876 WMIC.exe Token: SeSystemEnvironmentPrivilege 1876 WMIC.exe Token: SeRemoteShutdownPrivilege 1876 WMIC.exe Token: SeUndockPrivilege 1876 WMIC.exe Token: SeManageVolumePrivilege 1876 WMIC.exe Token: 33 1876 WMIC.exe Token: 34 1876 WMIC.exe Token: 35 1876 WMIC.exe Token: 36 1876 WMIC.exe Token: SeIncreaseQuotaPrivilege 3320 WMIC.exe Token: SeSecurityPrivilege 3320 WMIC.exe Token: SeTakeOwnershipPrivilege 3320 WMIC.exe Token: SeLoadDriverPrivilege 3320 WMIC.exe Token: SeSystemProfilePrivilege 3320 WMIC.exe Token: SeSystemtimePrivilege 3320 WMIC.exe Token: SeProfSingleProcessPrivilege 3320 WMIC.exe Token: SeIncBasePriorityPrivilege 3320 WMIC.exe Token: SeCreatePagefilePrivilege 3320 WMIC.exe Token: SeBackupPrivilege 3320 WMIC.exe Token: SeRestorePrivilege 3320 WMIC.exe Token: SeShutdownPrivilege 3320 WMIC.exe Token: SeDebugPrivilege 3320 WMIC.exe Token: SeSystemEnvironmentPrivilege 3320 WMIC.exe Token: SeRemoteShutdownPrivilege 3320 WMIC.exe Token: SeUndockPrivilege 3320 WMIC.exe Token: SeManageVolumePrivilege 3320 WMIC.exe Token: 33 3320 WMIC.exe Token: 34 3320 WMIC.exe Token: 35 3320 WMIC.exe Token: 36 3320 WMIC.exe Token: SeIncreaseQuotaPrivilege 3320 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exedescription pid process target process PID 3344 wrote to memory of 1876 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 1876 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 3320 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 3320 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 3532 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 3532 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 4348 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 4348 3344 cmd.exe WMIC.exe PID 3344 wrote to memory of 2848 3344 cmd.exe getmac.exe PID 3344 wrote to memory of 2848 3344 cmd.exe getmac.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker_hwids.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵
-
C:\Windows\system32\getmac.exegetmac /v2⤵