988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f

General

Target

$DESKTOP/查看机器码.bat
Size

1KB
MD5

4a027f0c86eb9614e81af680b2475499
SHA1

ca79f5c7789ffd01af9c00d20f15b1077e55fc15
SHA256

6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050
SHA512

169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1780 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2616 taskkill.exe

pid	process
1780	ipconfig.exe

pid	process
2616	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2992 wrote to memory of 3024	2992	cmd.exe	mode.com
PID 2992 wrote to memory of 3024	2992	cmd.exe	mode.com
PID 2992 wrote to memory of 3024	2992	cmd.exe	mode.com
PID 2992 wrote to memory of 2616	2992	cmd.exe	taskkill.exe
PID 2992 wrote to memory of 2616	2992	cmd.exe	taskkill.exe
PID 2992 wrote to memory of 2616	2992	cmd.exe	taskkill.exe
PID 2992 wrote to memory of 2684	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2684	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2684	2992	cmd.exe	cmd.exe
PID 2684 wrote to memory of 2712	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2712	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2712	2684	cmd.exe	reg.exe
PID 2992 wrote to memory of 2596	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2596	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2596	2992	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2568	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2568	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 2568	2596	cmd.exe	reg.exe
PID 2992 wrote to memory of 2536	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2536	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2536	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2732	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2732	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2732	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2576	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2576	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2576	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2412	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2412	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2412	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2476	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2476	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2476	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2468	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2468	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2468	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2184	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2184	2992	cmd.exe	cmd.exe
PID 2992 wrote to memory of 2184	2992	cmd.exe	cmd.exe
PID 2184 wrote to memory of 1780	2184	cmd.exe	ipconfig.exe
PID 2184 wrote to memory of 1780	2184	cmd.exe	ipconfig.exe
PID 2184 wrote to memory of 1780	2184	cmd.exe	ipconfig.exe
PID 2184 wrote to memory of 312	2184	cmd.exe	findstr.exe
PID 2184 wrote to memory of 312	2184	cmd.exe	findstr.exe
PID 2184 wrote to memory of 312	2184	cmd.exe	findstr.exe
PID 2992 wrote to memory of 2728	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2728	2992	cmd.exe	WMIC.exe
PID 2992 wrote to memory of 2728	2992	cmd.exe	WMIC.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$DESKTOP\查看机器码.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\mode.com
mode con cols=85 lines=90
2⤵
PID:3024

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "SystemManufacturer"
3⤵
- Enumerates system info in registry
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\reg.exe
reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v "BaseBoardProduct"
3⤵
- Enumerates system info in registry
PID:2568

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get Name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
2⤵
PID:2576

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
2⤵
PID:2412

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
2⤵
PID:2476

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
2⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:1780

C:\Windows\system32\findstr.exe
findstr /i "├Φ╩÷ ╬∩└φ╡╪╓╖"
3⤵
PID:312

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
2⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads