36882fc0c24de7aebb0a0949e60fc3f4768a79d908fac9c8464e72e958fd9a3b

Analysis

max time kernel
1000s
max time network
1101s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

serial_checker_hwids.bat
Size

314B
MD5

875694edd1569a7a9743e464d4c30f5d
SHA1

6bbf0f4df1ca90b30b5667252f08f79aae1deb63
SHA256

252fa4f2391ef928701e3984a55c8526258276b4e993f5f6a564756d3a7988d9
SHA512

2a45b4a4fa6030e157fd83512cc115c75ca22929b63b69c40753a861cfd5994d8e75a944cf1ccc8d760ce9a2f91984e9d4cf41ad0ea536d81c989d9264eeedad

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: 36	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3344 wrote to memory of 1876	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 1876	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 3320	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 3320	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 3532	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 3532	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 4348	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 4348	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 2848	3344	cmd.exe	getmac.exe
PID 3344 wrote to memory of 2848	3344	cmd.exe	getmac.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker_hwids.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
2⤵
PID:3532

C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
2⤵
PID:4348

C:\Windows\system32\getmac.exe
getmac /v
2⤵
PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-132-0x0000000000000000-mapping.dmp

Download
memory/2848-136-0x0000000000000000-mapping.dmp

Download
memory/3320-133-0x0000000000000000-mapping.dmp

Download
memory/3532-134-0x0000000000000000-mapping.dmp

Download
memory/4348-135-0x0000000000000000-mapping.dmp

Download