Analysis
-
max time kernel
209s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
serial check.bat
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
serial check.bat
-
Size
438B
-
MD5
8cb7166ecf402cedfefee8d08c8ed753
-
SHA1
cd57e7d640c052cf1431750fd82a7dd2ac369c75
-
SHA256
68f92fb45c02797eb6ab5cc1f406a35327e8a68b8d2eeb0e7d171d3d2225b0cc
-
SHA512
af0b1f19da5a2d82c214589b5c2e201d4963833bac179f2426486669493eb6b095c38702a5f4c8ff1467d49d8ef02da6d6fa5bd313b06cc3b860a2c8d8c72454
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4052 WMIC.exe Token: SeSecurityPrivilege 4052 WMIC.exe Token: SeTakeOwnershipPrivilege 4052 WMIC.exe Token: SeLoadDriverPrivilege 4052 WMIC.exe Token: SeSystemProfilePrivilege 4052 WMIC.exe Token: SeSystemtimePrivilege 4052 WMIC.exe Token: SeProfSingleProcessPrivilege 4052 WMIC.exe Token: SeIncBasePriorityPrivilege 4052 WMIC.exe Token: SeCreatePagefilePrivilege 4052 WMIC.exe Token: SeBackupPrivilege 4052 WMIC.exe Token: SeRestorePrivilege 4052 WMIC.exe Token: SeShutdownPrivilege 4052 WMIC.exe Token: SeDebugPrivilege 4052 WMIC.exe Token: SeSystemEnvironmentPrivilege 4052 WMIC.exe Token: SeRemoteShutdownPrivilege 4052 WMIC.exe Token: SeUndockPrivilege 4052 WMIC.exe Token: SeManageVolumePrivilege 4052 WMIC.exe Token: 33 4052 WMIC.exe Token: 34 4052 WMIC.exe Token: 35 4052 WMIC.exe Token: 36 4052 WMIC.exe Token: SeIncreaseQuotaPrivilege 4052 WMIC.exe Token: SeSecurityPrivilege 4052 WMIC.exe Token: SeTakeOwnershipPrivilege 4052 WMIC.exe Token: SeLoadDriverPrivilege 4052 WMIC.exe Token: SeSystemProfilePrivilege 4052 WMIC.exe Token: SeSystemtimePrivilege 4052 WMIC.exe Token: SeProfSingleProcessPrivilege 4052 WMIC.exe Token: SeIncBasePriorityPrivilege 4052 WMIC.exe Token: SeCreatePagefilePrivilege 4052 WMIC.exe Token: SeBackupPrivilege 4052 WMIC.exe Token: SeRestorePrivilege 4052 WMIC.exe Token: SeShutdownPrivilege 4052 WMIC.exe Token: SeDebugPrivilege 4052 WMIC.exe Token: SeSystemEnvironmentPrivilege 4052 WMIC.exe Token: SeRemoteShutdownPrivilege 4052 WMIC.exe Token: SeUndockPrivilege 4052 WMIC.exe Token: SeManageVolumePrivilege 4052 WMIC.exe Token: 33 4052 WMIC.exe Token: 34 4052 WMIC.exe Token: 35 4052 WMIC.exe Token: 36 4052 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
pid Process 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4444 wrote to memory of 4052 4444 cmd.exe 96 PID 4444 wrote to memory of 4052 4444 cmd.exe 96 PID 4444 wrote to memory of 2176 4444 cmd.exe 98 PID 4444 wrote to memory of 2176 4444 cmd.exe 98 PID 4444 wrote to memory of 1292 4444 cmd.exe 99 PID 4444 wrote to memory of 1292 4444 cmd.exe 99 PID 4444 wrote to memory of 4776 4444 cmd.exe 101 PID 4444 wrote to memory of 4776 4444 cmd.exe 101 PID 4444 wrote to memory of 1648 4444 cmd.exe 102 PID 4444 wrote to memory of 1648 4444 cmd.exe 102 PID 4444 wrote to memory of 468 4444 cmd.exe 103 PID 4444 wrote to memory of 468 4444 cmd.exe 103
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial check.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵PID:1292
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:4776
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:1648
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:468
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:1484