49453b589ffcc62183134e9f90bce44115773a0eec093b0d0b2c5494ee4ed8b9

Resubmissions

02-08-2024 14:36

240802-ryvdssxgqm 8

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Serial Checker/Checker.exe
Size

409KB
MD5

5ae052bc0a1c37418eb07b02de4ac4ae
SHA1

41be7d4bd78144784b4b35694d72c0f321f0e324
SHA256

afccfaac810fbb349b1ad9c770ba8256f7f726fc2ca327d49f6f5ab0240ee265
SHA512

91db77b0a6184a066430f89ce68e8ed3e6ce80d33843d4bbb07a467d9a164f63db2e3d7bcf2b32e65e890b30099f0da7c5ac28134af026f309ae9366f4391ce2
SSDEEP

6144:/NTbbNcOmdeyytlrL0QRWd09EaP0LS/6SrIR+Nk04XA:V0MyyD0QRWd09L8LTSrp4

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	Checker.exe
2840	Checker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2612	WMIC.exe
Token: SeSecurityPrivilege	2612	WMIC.exe
Token: SeTakeOwnershipPrivilege	2612	WMIC.exe
Token: SeLoadDriverPrivilege	2612	WMIC.exe
Token: SeSystemProfilePrivilege	2612	WMIC.exe
Token: SeSystemtimePrivilege	2612	WMIC.exe
Token: SeProfSingleProcessPrivilege	2612	WMIC.exe
Token: SeIncBasePriorityPrivilege	2612	WMIC.exe
Token: SeCreatePagefilePrivilege	2612	WMIC.exe
Token: SeBackupPrivilege	2612	WMIC.exe
Token: SeRestorePrivilege	2612	WMIC.exe
Token: SeShutdownPrivilege	2612	WMIC.exe
Token: SeDebugPrivilege	2612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2612	WMIC.exe
Token: SeRemoteShutdownPrivilege	2612	WMIC.exe
Token: SeUndockPrivilege	2612	WMIC.exe
Token: SeManageVolumePrivilege	2612	WMIC.exe
Token: 33	2612	WMIC.exe
Token: 34	2612	WMIC.exe
Token: 35	2612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2612	WMIC.exe
Token: SeSecurityPrivilege	2612	WMIC.exe
Token: SeTakeOwnershipPrivilege	2612	WMIC.exe
Token: SeLoadDriverPrivilege	2612	WMIC.exe
Token: SeSystemProfilePrivilege	2612	WMIC.exe
Token: SeSystemtimePrivilege	2612	WMIC.exe
Token: SeProfSingleProcessPrivilege	2612	WMIC.exe
Token: SeIncBasePriorityPrivilege	2612	WMIC.exe
Token: SeCreatePagefilePrivilege	2612	WMIC.exe
Token: SeBackupPrivilege	2612	WMIC.exe
Token: SeRestorePrivilege	2612	WMIC.exe
Token: SeShutdownPrivilege	2612	WMIC.exe
Token: SeDebugPrivilege	2612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2612	WMIC.exe
Token: SeRemoteShutdownPrivilege	2612	WMIC.exe
Token: SeUndockPrivilege	2612	WMIC.exe
Token: SeManageVolumePrivilege	2612	WMIC.exe
Token: 33	2612	WMIC.exe
Token: 34	2612	WMIC.exe
Token: 35	2612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2884	2840	Checker.exe	31
PID 2840 wrote to memory of 2884	2840	Checker.exe	31
PID 2840 wrote to memory of 2884	2840	Checker.exe	31
PID 2840 wrote to memory of 2728	2840	Checker.exe	32
PID 2840 wrote to memory of 2728	2840	Checker.exe	32
PID 2840 wrote to memory of 2728	2840	Checker.exe	32
PID 2840 wrote to memory of 2888	2840	Checker.exe	33
PID 2840 wrote to memory of 2888	2840	Checker.exe	33
PID 2840 wrote to memory of 2888	2840	Checker.exe	33
PID 2888 wrote to memory of 2612	2888	cmd.exe	34
PID 2888 wrote to memory of 2612	2888	cmd.exe	34
PID 2888 wrote to memory of 2612	2888	cmd.exe	34
PID 2840 wrote to memory of 1032	2840	Checker.exe	36
PID 2840 wrote to memory of 1032	2840	Checker.exe	36
PID 2840 wrote to memory of 1032	2840	Checker.exe	36
PID 1032 wrote to memory of 2768	1032	cmd.exe	37
PID 1032 wrote to memory of 2768	1032	cmd.exe	37
PID 1032 wrote to memory of 2768	1032	cmd.exe	37
PID 2840 wrote to memory of 2600	2840	Checker.exe	38
PID 2840 wrote to memory of 2600	2840	Checker.exe	38
PID 2840 wrote to memory of 2600	2840	Checker.exe	38
PID 2600 wrote to memory of 2620	2600	cmd.exe	39
PID 2600 wrote to memory of 2620	2600	cmd.exe	39
PID 2600 wrote to memory of 2620	2600	cmd.exe	39
PID 2840 wrote to memory of 1212	2840	Checker.exe	40
PID 2840 wrote to memory of 1212	2840	Checker.exe	40
PID 2840 wrote to memory of 1212	2840	Checker.exe	40
PID 1212 wrote to memory of 3068	1212	cmd.exe	41
PID 1212 wrote to memory of 3068	1212	cmd.exe	41
PID 1212 wrote to memory of 3068	1212	cmd.exe	41
PID 2840 wrote to memory of 2228	2840	Checker.exe	42
PID 2840 wrote to memory of 2228	2840	Checker.exe	42
PID 2840 wrote to memory of 2228	2840	Checker.exe	42
PID 2228 wrote to memory of 1984	2228	cmd.exe	43
PID 2228 wrote to memory of 1984	2228	cmd.exe	43
PID 2228 wrote to memory of 1984	2228	cmd.exe	43
PID 2840 wrote to memory of 604	2840	Checker.exe	44
PID 2840 wrote to memory of 604	2840	Checker.exe	44
PID 2840 wrote to memory of 604	2840	Checker.exe	44
PID 604 wrote to memory of 264	604	cmd.exe	45
PID 604 wrote to memory of 264	604	cmd.exe	45
PID 604 wrote to memory of 264	604	cmd.exe	45
PID 2840 wrote to memory of 1348	2840	Checker.exe	46
PID 2840 wrote to memory of 1348	2840	Checker.exe	46
PID 2840 wrote to memory of 1348	2840	Checker.exe	46
PID 1348 wrote to memory of 1272	1348	cmd.exe	47
PID 1348 wrote to memory of 1272	1348	cmd.exe	47
PID 1348 wrote to memory of 1272	1348	cmd.exe	47
PID 2840 wrote to memory of 2236	2840	Checker.exe	48
PID 2840 wrote to memory of 2236	2840	Checker.exe	48
PID 2840 wrote to memory of 2236	2840	Checker.exe	48
PID 2840 wrote to memory of 1052	2840	Checker.exe	49
PID 2840 wrote to memory of 1052	2840	Checker.exe	49
PID 2840 wrote to memory of 1052	2840	Checker.exe	49
PID 1052 wrote to memory of 2012	1052	cmd.exe	50
PID 1052 wrote to memory of 2012	1052	cmd.exe	50
PID 1052 wrote to memory of 2012	1052	cmd.exe	50
PID 2840 wrote to memory of 2464	2840	Checker.exe	51
PID 2840 wrote to memory of 2464	2840	Checker.exe	51
PID 2840 wrote to memory of 2464	2840	Checker.exe	51
PID 2464 wrote to memory of 2148	2464	cmd.exe	52
PID 2464 wrote to memory of 2148	2464	cmd.exe	52
PID 2464 wrote to memory of 2148	2464	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\Serial Checker\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Serial Checker\Checker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get name, serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get name, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic logicaldisk get name, volumeserialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get name, volumeserialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic systemenclosure get serialnumber
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress
    3⤵
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get partnumber,serialnumber, ProcessorId
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get partnumber,serialnumber, ProcessorId
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nvidia-smi -L
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get SerialNumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get SerialNumber
    3⤵
    PID:2148

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads