Overview
overview
10Static
static
7SAMWARE/SA...ee.exe
windows10-2004-x64
5SAMWARE/SA...er.bat
windows10-2004-x64
1SAMWARE/SA...er.exe
windows10-2004-x64
9SAMWARE/SA...EL.exe
windows10-2004-x64
9SAMWARE/SA...er.exe
windows10-2004-x64
9SAMWARE/SA...er.bat
windows10-2004-x64
8SAMWARE/SA...er.bat
windows10-2004-x64
1SAMWARE/SA...er.exe
windows10-2004-x64
10SAMWARE/SA...er.exe
windows10-2004-x64
10SAMWARE/SA...er.exe
windows10-2004-x64
8SAMWARE/SA...ol.bat
windows10-2004-x64
8Analysis
-
max time kernel
69s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 01:35
Behavioral task
behavioral1
Sample
SAMWARE/SAMWARE/SAMWARE/SAMWARE-Free.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
SAMWARE/SAMWARE/SAMWARE/Serials_Checker.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/AppleCleaner.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/AppleS5-DEL.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/EventCleaner.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/Fivem-Cleaner.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/FortniteCleaner.bat
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/NXTcleaner.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/SAMEWARECleaner.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/SAMWAREDeepCleaner.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
SAMWARE/SAMWARE/SAMWARE/cleaners/full deep cleaner by nigga mhatt lol.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
General
-
Target
SAMWARE/SAMWARE/SAMWARE/Serials_Checker.bat
-
Size
862B
-
MD5
70b7863d0ca809751200f9300cd21033
-
SHA1
8f9fca90e24ec21c00b539b82256ed6cd9712ea8
-
SHA256
ed63d2195825398b5523fcd9cd312b775c0fe3f4cc0472c9f06edeb8f32c325d
-
SHA512
d5d7d05d5e1861b88ce660c9a2939a3a7891a1e70d65171b347908b8e1c9ece9223b487fddc34a1f100e8401d2d441b1488bb7728caab47075c90fc0448041b6
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3132 WMIC.exe Token: SeSecurityPrivilege 3132 WMIC.exe Token: SeTakeOwnershipPrivilege 3132 WMIC.exe Token: SeLoadDriverPrivilege 3132 WMIC.exe Token: SeSystemProfilePrivilege 3132 WMIC.exe Token: SeSystemtimePrivilege 3132 WMIC.exe Token: SeProfSingleProcessPrivilege 3132 WMIC.exe Token: SeIncBasePriorityPrivilege 3132 WMIC.exe Token: SeCreatePagefilePrivilege 3132 WMIC.exe Token: SeBackupPrivilege 3132 WMIC.exe Token: SeRestorePrivilege 3132 WMIC.exe Token: SeShutdownPrivilege 3132 WMIC.exe Token: SeDebugPrivilege 3132 WMIC.exe Token: SeSystemEnvironmentPrivilege 3132 WMIC.exe Token: SeRemoteShutdownPrivilege 3132 WMIC.exe Token: SeUndockPrivilege 3132 WMIC.exe Token: SeManageVolumePrivilege 3132 WMIC.exe Token: 33 3132 WMIC.exe Token: 34 3132 WMIC.exe Token: 35 3132 WMIC.exe Token: 36 3132 WMIC.exe Token: SeIncreaseQuotaPrivilege 3132 WMIC.exe Token: SeSecurityPrivilege 3132 WMIC.exe Token: SeTakeOwnershipPrivilege 3132 WMIC.exe Token: SeLoadDriverPrivilege 3132 WMIC.exe Token: SeSystemProfilePrivilege 3132 WMIC.exe Token: SeSystemtimePrivilege 3132 WMIC.exe Token: SeProfSingleProcessPrivilege 3132 WMIC.exe Token: SeIncBasePriorityPrivilege 3132 WMIC.exe Token: SeCreatePagefilePrivilege 3132 WMIC.exe Token: SeBackupPrivilege 3132 WMIC.exe Token: SeRestorePrivilege 3132 WMIC.exe Token: SeShutdownPrivilege 3132 WMIC.exe Token: SeDebugPrivilege 3132 WMIC.exe Token: SeSystemEnvironmentPrivilege 3132 WMIC.exe Token: SeRemoteShutdownPrivilege 3132 WMIC.exe Token: SeUndockPrivilege 3132 WMIC.exe Token: SeManageVolumePrivilege 3132 WMIC.exe Token: 33 3132 WMIC.exe Token: 34 3132 WMIC.exe Token: 35 3132 WMIC.exe Token: 36 3132 WMIC.exe Token: SeIncreaseQuotaPrivilege 3652 WMIC.exe Token: SeSecurityPrivilege 3652 WMIC.exe Token: SeTakeOwnershipPrivilege 3652 WMIC.exe Token: SeLoadDriverPrivilege 3652 WMIC.exe Token: SeSystemProfilePrivilege 3652 WMIC.exe Token: SeSystemtimePrivilege 3652 WMIC.exe Token: SeProfSingleProcessPrivilege 3652 WMIC.exe Token: SeIncBasePriorityPrivilege 3652 WMIC.exe Token: SeCreatePagefilePrivilege 3652 WMIC.exe Token: SeBackupPrivilege 3652 WMIC.exe Token: SeRestorePrivilege 3652 WMIC.exe Token: SeShutdownPrivilege 3652 WMIC.exe Token: SeDebugPrivilege 3652 WMIC.exe Token: SeSystemEnvironmentPrivilege 3652 WMIC.exe Token: SeRemoteShutdownPrivilege 3652 WMIC.exe Token: SeUndockPrivilege 3652 WMIC.exe Token: SeManageVolumePrivilege 3652 WMIC.exe Token: 33 3652 WMIC.exe Token: 34 3652 WMIC.exe Token: 35 3652 WMIC.exe Token: 36 3652 WMIC.exe Token: SeIncreaseQuotaPrivilege 3652 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1108 1192 cmd.exe 85 PID 1192 wrote to memory of 1108 1192 cmd.exe 85 PID 1192 wrote to memory of 3132 1192 cmd.exe 86 PID 1192 wrote to memory of 3132 1192 cmd.exe 86 PID 1192 wrote to memory of 3652 1192 cmd.exe 89 PID 1192 wrote to memory of 3652 1192 cmd.exe 89 PID 1192 wrote to memory of 3196 1192 cmd.exe 90 PID 1192 wrote to memory of 3196 1192 cmd.exe 90 PID 1192 wrote to memory of 1164 1192 cmd.exe 91 PID 1192 wrote to memory of 1164 1192 cmd.exe 91 PID 1192 wrote to memory of 3204 1192 cmd.exe 93 PID 1192 wrote to memory of 3204 1192 cmd.exe 93 PID 1192 wrote to memory of 2224 1192 cmd.exe 94 PID 1192 wrote to memory of 2224 1192 cmd.exe 94 PID 1192 wrote to memory of 3236 1192 cmd.exe 95 PID 1192 wrote to memory of 3236 1192 cmd.exe 95 PID 1192 wrote to memory of 5100 1192 cmd.exe 96 PID 1192 wrote to memory of 5100 1192 cmd.exe 96 PID 1192 wrote to memory of 2188 1192 cmd.exe 97 PID 1192 wrote to memory of 2188 1192 cmd.exe 97
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SAMWARE\SAMWARE\SAMWARE\Serials_Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\mode.commode con: cols=90 lines=482⤵PID:1108
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:3196
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid2⤵PID:1164
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:3204
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2224
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:3236
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:5100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID2⤵PID:2188
-