249d25df5be6ac55576807b67b5d1297fb920342af0df322177b64f5b70499c0

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

phorsan.bat
Size

1KB
MD5

2375504977240c23e86942046538dc3e
SHA1

df866b67c41e753cba1aef4e19d1fe034a808f52
SHA256

249d25df5be6ac55576807b67b5d1297fb920342af0df322177b64f5b70499c0
SHA512

37ca7557f41ef12927e6c7a9a188e0510cbed43de59e9a19b248691b3611fe50b41a3f0d6d10e0b1908a8132bad15d1919f5f752c96f3b4c780304e95bc107bb

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2320	WMIC.exe
Token: SeSecurityPrivilege	2320	WMIC.exe
Token: SeTakeOwnershipPrivilege	2320	WMIC.exe
Token: SeLoadDriverPrivilege	2320	WMIC.exe
Token: SeSystemProfilePrivilege	2320	WMIC.exe
Token: SeSystemtimePrivilege	2320	WMIC.exe
Token: SeProfSingleProcessPrivilege	2320	WMIC.exe
Token: SeIncBasePriorityPrivilege	2320	WMIC.exe
Token: SeCreatePagefilePrivilege	2320	WMIC.exe
Token: SeBackupPrivilege	2320	WMIC.exe
Token: SeRestorePrivilege	2320	WMIC.exe
Token: SeShutdownPrivilege	2320	WMIC.exe
Token: SeDebugPrivilege	2320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2320	WMIC.exe
Token: SeRemoteShutdownPrivilege	2320	WMIC.exe
Token: SeUndockPrivilege	2320	WMIC.exe
Token: SeManageVolumePrivilege	2320	WMIC.exe
Token: 33	2320	WMIC.exe
Token: 34	2320	WMIC.exe
Token: 35	2320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2320	WMIC.exe
Token: SeSecurityPrivilege	2320	WMIC.exe
Token: SeTakeOwnershipPrivilege	2320	WMIC.exe
Token: SeLoadDriverPrivilege	2320	WMIC.exe
Token: SeSystemProfilePrivilege	2320	WMIC.exe
Token: SeSystemtimePrivilege	2320	WMIC.exe
Token: SeProfSingleProcessPrivilege	2320	WMIC.exe
Token: SeIncBasePriorityPrivilege	2320	WMIC.exe
Token: SeCreatePagefilePrivilege	2320	WMIC.exe
Token: SeBackupPrivilege	2320	WMIC.exe
Token: SeRestorePrivilege	2320	WMIC.exe
Token: SeShutdownPrivilege	2320	WMIC.exe
Token: SeDebugPrivilege	2320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2320	WMIC.exe
Token: SeRemoteShutdownPrivilege	2320	WMIC.exe
Token: SeUndockPrivilege	2320	WMIC.exe
Token: SeManageVolumePrivilege	2320	WMIC.exe
Token: 33	2320	WMIC.exe
Token: 34	2320	WMIC.exe
Token: 35	2320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemProfilePrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeProfSingleProcessPrivilege	2616	WMIC.exe
Token: SeIncBasePriorityPrivilege	2616	WMIC.exe
Token: SeCreatePagefilePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeDebugPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeRemoteShutdownPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe
Token: SeManageVolumePrivilege	2616	WMIC.exe
Token: 33	2616	WMIC.exe
Token: 34	2616	WMIC.exe
Token: 35	2616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3060	816	cmd.exe	29
PID 816 wrote to memory of 3060	816	cmd.exe	29
PID 816 wrote to memory of 3060	816	cmd.exe	29
PID 816 wrote to memory of 2320	816	cmd.exe	30
PID 816 wrote to memory of 2320	816	cmd.exe	30
PID 816 wrote to memory of 2320	816	cmd.exe	30
PID 816 wrote to memory of 2616	816	cmd.exe	32
PID 816 wrote to memory of 2616	816	cmd.exe	32
PID 816 wrote to memory of 2616	816	cmd.exe	32
PID 816 wrote to memory of 2732	816	cmd.exe	33
PID 816 wrote to memory of 2732	816	cmd.exe	33
PID 816 wrote to memory of 2732	816	cmd.exe	33
PID 816 wrote to memory of 2340	816	cmd.exe	34
PID 816 wrote to memory of 2340	816	cmd.exe	34
PID 816 wrote to memory of 2340	816	cmd.exe	34
PID 816 wrote to memory of 2636	816	cmd.exe	35
PID 816 wrote to memory of 2636	816	cmd.exe	35
PID 816 wrote to memory of 2636	816	cmd.exe	35
PID 816 wrote to memory of 2500	816	cmd.exe	36
PID 816 wrote to memory of 2500	816	cmd.exe	36
PID 816 wrote to memory of 2500	816	cmd.exe	36
PID 816 wrote to memory of 2612	816	cmd.exe	37
PID 816 wrote to memory of 2612	816	cmd.exe	37
PID 816 wrote to memory of 2612	816	cmd.exe	37
PID 816 wrote to memory of 2648	816	cmd.exe	38
PID 816 wrote to memory of 2648	816	cmd.exe	38
PID 816 wrote to memory of 2648	816	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\phorsan.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\system32\mode.com
  mode con: cols=70 lines=40
  2⤵
  PID:3060
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:2732
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get processorid
  2⤵
  PID:2340
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:2636
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:2500
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get manufacturer
  2⤵
  PID:2612
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:2648

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads