4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

Resubmissions

10/07/2024, 02:30

240710-czl2gstcke 10

20/06/2024, 12:39

20/06/2024, 12:36

20/06/2024, 12:35

20/06/2024, 12:33

Analysis

max time kernel
91s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofers/serial_checker.bat
Size

437B
MD5

0c088b6adc55c20fc375badef6f7e9a7
SHA1

37c865ebfe537b94534844281e9086462f3e2462
SHA256

51f783d41ad3a807344eb9550d65cb4638793aac71f4eb4a1a11414b24e339e1
SHA512

7f82c647413f997a537148ab7d1e8a5cff9fef18561783f329485dbb67ab76a2a8defa0a7304feb7e1e79645b50b8cb2d4a069ff3ec668542fdefb1adbde6f5d

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe
Token: 36	4960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe
Token: 36	4960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: 36	1816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4960	1676	cmd.exe	85
PID 1676 wrote to memory of 4960	1676	cmd.exe	85
PID 1676 wrote to memory of 1816	1676	cmd.exe	88
PID 1676 wrote to memory of 1816	1676	cmd.exe	88
PID 1676 wrote to memory of 3008	1676	cmd.exe	89
PID 1676 wrote to memory of 3008	1676	cmd.exe	89
PID 1676 wrote to memory of 3456	1676	cmd.exe	91
PID 1676 wrote to memory of 3456	1676	cmd.exe	91
PID 1676 wrote to memory of 4068	1676	cmd.exe	93
PID 1676 wrote to memory of 4068	1676	cmd.exe	93
PID 1676 wrote to memory of 2132	1676	cmd.exe	94
PID 1676 wrote to memory of 2132	1676	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofers\serial_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get model, serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:3008
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:3456
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:4068
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:2132

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads