2c6a1adc320f8512e7163ea1f624a248f323bd5d4c73eb14ba84f463b6b8f3e7

Analysis

max time kernel
90s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
Size

2KB
MD5

88d4cd0ecd8b80204a867b085cc7af7f
SHA1

88367c0259581943a45f77683e22a180d3286ca5
SHA256

40e615e60f1de58259a9d440ebc2e9f757221ad07f35ff3dae2ef57ba8279976
SHA512

b8949ef027e08c742f7a681991532e0fee97abd96b720b8cdb2bb6a9e1fea4c9c7c693ccc62a220e20c0832e47a47869bc045f3e997b742d9db51a988f832ece

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1092	WMIC.exe
Token: SeRemoteShutdownPrivilege	1092	WMIC.exe
Token: SeUndockPrivilege	1092	WMIC.exe
Token: SeManageVolumePrivilege	1092	WMIC.exe
Token: 33	1092	WMIC.exe
Token: 34	1092	WMIC.exe
Token: 35	1092	WMIC.exe
Token: 36	1092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1092	WMIC.exe
Token: SeRemoteShutdownPrivilege	1092	WMIC.exe
Token: SeUndockPrivilege	1092	WMIC.exe
Token: SeManageVolumePrivilege	1092	WMIC.exe
Token: 33	1092	WMIC.exe
Token: 34	1092	WMIC.exe
Token: 35	1092	WMIC.exe
Token: 36	1092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: 36	2076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3588 wrote to memory of 4940	3588	cmd.exe	cscript.exe
PID 3588 wrote to memory of 4940	3588	cmd.exe	cscript.exe
PID 3588 wrote to memory of 1092	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 1092	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 2076	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 2076	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4876	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4876	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4924	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4924	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 240	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 240	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4492	3588	cmd.exe	reg.exe
PID 3588 wrote to memory of 4492	3588	cmd.exe	reg.exe
PID 3588 wrote to memory of 1576	3588	cmd.exe	getmac.exe
PID 3588 wrote to memory of 1576	3588	cmd.exe	getmac.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Serialcheckers\Backup serialchecker\Serialchecker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\cscript.exe
cscript //nologo "C:\temp\popup.vbs"
2⤵
PID:4940

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\Wbem\WMIC.exe
wmic systemenclosure get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
2⤵
PID:4876

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
2⤵
PID:4924

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
2⤵
PID:240

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductID
2⤵
PID:4492

C:\Windows\system32\getmac.exe
getmac
2⤵
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp\popup.vbs
Filesize
158B

MD5
5e7ba0fcfadcbe82f772b97450f0a0a3

SHA1
8acc8f1c23d32c59f7a0cf0f404b373e09231593

SHA256
d6c62b4b8789e97930036a8a9740f01c918ef2d33e4f6ac470834cbab0a5b644

SHA512
3657eaf2c741b3e26700aae14254bc184716e84a2bedb6e52b79c238c96f5b3f6e4e09dd7bb6be97b22199a1166355cddc1074fb8fa373c032741b7f829865d5

Download Submit