Overview
overview
9Static
static
7Verse crac...or.exe
windows11-21h2-x64
1Verse crac...RU.exe
windows11-21h2-x64
1Verse crac...ll.exe
windows11-21h2-x64
1Verse crac...rt.exe
windows11-21h2-x64
5Verse crac...64.exe
windows11-21h2-x64
5Verse crac...er.bat
windows11-21h2-x64
1Verse crac...er.exe
windows11-21h2-x64
9Verse crac...er.exe
windows11-21h2-x64
7Verse crac...n].bat
windows11-21h2-x64
1Verse crac...15.exe
windows11-21h2-x64
9Verse crac...ip.dll
windows11-21h2-x64
1Analysis
-
max time kernel
90s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-04-2024 03:36
Behavioral task
behavioral1
Sample
Verse crack from feds and nex/Injector.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
Verse crack from feds and nex/Monitor Spoof/CRU.exe
Resource
win11-20240412-en
Behavioral task
behavioral3
Sample
Verse crack from feds and nex/Monitor Spoof/reset-all.exe
Resource
win11-20240412-en
Behavioral task
behavioral4
Sample
Verse crack from feds and nex/Monitor Spoof/restart.exe
Resource
win11-20240412-en
Behavioral task
behavioral5
Sample
Verse crack from feds and nex/Monitor Spoof/restart64.exe
Resource
win11-20240412-en
Behavioral task
behavioral6
Sample
Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
Resource
win11-20240412-en
Behavioral task
behavioral7
Sample
Verse crack from feds and nex/Serialcheckers/Mac-checker.exe
Resource
win11-20240412-en
Behavioral task
behavioral8
Sample
Verse crack from feds and nex/Serialcheckers/Serialchecker.exe
Resource
win11-20240412-en
Behavioral task
behavioral9
Sample
Verse crack from feds and nex/Serialcheckers/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
Resource
win11-20240412-en
Behavioral task
behavioral10
Sample
Verse crack from feds and nex/Verse V4.15.exe
Resource
win11-20240412-en
Behavioral task
behavioral11
Sample
Verse crack from feds and nex/rip.dll
Resource
win11-20240412-en
General
-
Target
Verse crack from feds and nex/Serialcheckers/Backup serialchecker/Serialchecker.bat
-
Size
2KB
-
MD5
88d4cd0ecd8b80204a867b085cc7af7f
-
SHA1
88367c0259581943a45f77683e22a180d3286ca5
-
SHA256
40e615e60f1de58259a9d440ebc2e9f757221ad07f35ff3dae2ef57ba8279976
-
SHA512
b8949ef027e08c742f7a681991532e0fee97abd96b720b8cdb2bb6a9e1fea4c9c7c693ccc62a220e20c0832e47a47869bc045f3e997b742d9db51a988f832ece
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: 36 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: 36 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe Token: SeSecurityPrivilege 2076 WMIC.exe Token: SeTakeOwnershipPrivilege 2076 WMIC.exe Token: SeLoadDriverPrivilege 2076 WMIC.exe Token: SeSystemProfilePrivilege 2076 WMIC.exe Token: SeSystemtimePrivilege 2076 WMIC.exe Token: SeProfSingleProcessPrivilege 2076 WMIC.exe Token: SeIncBasePriorityPrivilege 2076 WMIC.exe Token: SeCreatePagefilePrivilege 2076 WMIC.exe Token: SeBackupPrivilege 2076 WMIC.exe Token: SeRestorePrivilege 2076 WMIC.exe Token: SeShutdownPrivilege 2076 WMIC.exe Token: SeDebugPrivilege 2076 WMIC.exe Token: SeSystemEnvironmentPrivilege 2076 WMIC.exe Token: SeRemoteShutdownPrivilege 2076 WMIC.exe Token: SeUndockPrivilege 2076 WMIC.exe Token: SeManageVolumePrivilege 2076 WMIC.exe Token: 33 2076 WMIC.exe Token: 34 2076 WMIC.exe Token: 35 2076 WMIC.exe Token: 36 2076 WMIC.exe Token: SeIncreaseQuotaPrivilege 2076 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exedescription pid process target process PID 3588 wrote to memory of 4940 3588 cmd.exe cscript.exe PID 3588 wrote to memory of 4940 3588 cmd.exe cscript.exe PID 3588 wrote to memory of 1092 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 1092 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 2076 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 2076 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4876 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4876 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4924 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4924 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 240 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 240 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4492 3588 cmd.exe reg.exe PID 3588 wrote to memory of 4492 3588 cmd.exe reg.exe PID 3588 wrote to memory of 1576 3588 cmd.exe getmac.exe PID 3588 wrote to memory of 1576 3588 cmd.exe getmac.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Verse crack from feds and nex\Serialcheckers\Backup serialchecker\Serialchecker.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript //nologo "C:\temp\popup.vbs"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductID2⤵
-
C:\Windows\system32\getmac.exegetmac2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\temp\popup.vbsFilesize
158B
MD55e7ba0fcfadcbe82f772b97450f0a0a3
SHA18acc8f1c23d32c59f7a0cf0f404b373e09231593
SHA256d6c62b4b8789e97930036a8a9740f01c918ef2d33e4f6ac470834cbab0a5b644
SHA5123657eaf2c741b3e26700aae14254bc184716e84a2bedb6e52b79c238c96f5b3f6e4e09dd7bb6be97b22199a1166355cddc1074fb8fa373c032741b7f829865d5