Overview
overview
9Static
static
3release/da...er.bat
windows11-21h2-x64
9release/da...er.bat
windows11-21h2-x64
8release/da...er.sys
windows11-21h2-x64
1release/da...er.bat
windows11-21h2-x64
1release/da...er.bat
windows11-21h2-x64
1release/da...er.exe
windows11-21h2-x64
1release/run.bat
windows11-21h2-x64
1Analysis
-
max time kernel
1s -
max time network
290s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/08/2024, 11:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
release/data/createuser.bat
Resource
win11-20240802-en
windows11-21h2-x64
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
release/data/deleteuser.bat
Resource
win11-20240802-en
windows11-21h2-x64
2 signatures
300 seconds
Behavioral task
behavioral3
Sample
release/data/driver.sys
Resource
win11-20240802-en
windows11-21h2-x64
0 signatures
300 seconds
Behavioral task
behavioral4
Sample
release/data/macchanger.bat
Resource
win11-20240802-en
windows11-21h2-x64
2 signatures
300 seconds
Behavioral task
behavioral5
Sample
release/data/spoofer.bat
Resource
win11-20240802-en
windows11-21h2-x64
0 signatures
300 seconds
Behavioral task
behavioral6
Sample
release/data/spoofer.exe
Resource
win11-20240802-en
windows11-21h2-x64
0 signatures
300 seconds
Behavioral task
behavioral7
Sample
release/run.bat
Resource
win11-20240802-en
windows11-21h2-x64
1 signatures
300 seconds
General
-
Target
release/data/macchanger.bat
-
Size
2KB
-
MD5
86630f471a1c7f40e8494347f9ab8249
-
SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460
-
SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c
-
SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: 36 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: 36 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 3408 WMIC.exe Token: SeSecurityPrivilege 3408 WMIC.exe Token: SeTakeOwnershipPrivilege 3408 WMIC.exe Token: SeLoadDriverPrivilege 3408 WMIC.exe Token: SeSystemProfilePrivilege 3408 WMIC.exe Token: SeSystemtimePrivilege 3408 WMIC.exe Token: SeProfSingleProcessPrivilege 3408 WMIC.exe Token: SeIncBasePriorityPrivilege 3408 WMIC.exe Token: SeCreatePagefilePrivilege 3408 WMIC.exe Token: SeBackupPrivilege 3408 WMIC.exe Token: SeRestorePrivilege 3408 WMIC.exe Token: SeShutdownPrivilege 3408 WMIC.exe Token: SeDebugPrivilege 3408 WMIC.exe Token: SeSystemEnvironmentPrivilege 3408 WMIC.exe Token: SeRemoteShutdownPrivilege 3408 WMIC.exe Token: SeUndockPrivilege 3408 WMIC.exe Token: SeManageVolumePrivilege 3408 WMIC.exe Token: 33 3408 WMIC.exe Token: 34 3408 WMIC.exe Token: 35 3408 WMIC.exe Token: 36 3408 WMIC.exe Token: SeIncreaseQuotaPrivilege 3408 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1504 wrote to memory of 3856 1504 cmd.exe 83 PID 1504 wrote to memory of 3856 1504 cmd.exe 83 PID 3856 wrote to memory of 2712 3856 cmd.exe 84 PID 3856 wrote to memory of 2712 3856 cmd.exe 84 PID 3856 wrote to memory of 788 3856 cmd.exe 85 PID 3856 wrote to memory of 788 3856 cmd.exe 85 PID 1504 wrote to memory of 2012 1504 cmd.exe 87 PID 1504 wrote to memory of 2012 1504 cmd.exe 87 PID 1504 wrote to memory of 1824 1504 cmd.exe 88 PID 1504 wrote to memory of 1824 1504 cmd.exe 88 PID 1504 wrote to memory of 3772 1504 cmd.exe 89 PID 1504 wrote to memory of 3772 1504 cmd.exe 89 PID 1504 wrote to memory of 1180 1504 cmd.exe 91 PID 1504 wrote to memory of 1180 1504 cmd.exe 91 PID 1504 wrote to memory of 3632 1504 cmd.exe 92 PID 1504 wrote to memory of 3632 1504 cmd.exe 92 PID 3632 wrote to memory of 3408 3632 cmd.exe 93 PID 3632 wrote to memory of 3408 3632 cmd.exe 93 PID 3632 wrote to memory of 3388 3632 cmd.exe 94 PID 3632 wrote to memory of 3388 3632 cmd.exe 94 PID 1504 wrote to memory of 2200 1504 cmd.exe 95 PID 1504 wrote to memory of 2200 1504 cmd.exe 95 PID 1504 wrote to memory of 2084 1504 cmd.exe 96 PID 1504 wrote to memory of 2084 1504 cmd.exe 96 PID 1504 wrote to memory of 2628 1504 cmd.exe 97 PID 1504 wrote to memory of 2628 1504 cmd.exe 97 PID 1504 wrote to memory of 892 1504 cmd.exe 98 PID 1504 wrote to memory of 892 1504 cmd.exe 98 PID 1504 wrote to memory of 1456 1504 cmd.exe 99 PID 1504 wrote to memory of 1456 1504 cmd.exe 99 PID 1456 wrote to memory of 656 1456 cmd.exe 100 PID 1456 wrote to memory of 656 1456 cmd.exe 100 PID 1504 wrote to memory of 3856 1504 cmd.exe 83 PID 1504 wrote to memory of 3856 1504 cmd.exe 83 PID 3856 wrote to memory of 2712 3856 cmd.exe 84 PID 3856 wrote to memory of 2712 3856 cmd.exe 84 PID 3856 wrote to memory of 788 3856 cmd.exe 85 PID 3856 wrote to memory of 788 3856 cmd.exe 85 PID 1504 wrote to memory of 2012 1504 cmd.exe 87 PID 1504 wrote to memory of 2012 1504 cmd.exe 87 PID 1504 wrote to memory of 1824 1504 cmd.exe 88 PID 1504 wrote to memory of 1824 1504 cmd.exe 88 PID 1504 wrote to memory of 3772 1504 cmd.exe 89 PID 1504 wrote to memory of 3772 1504 cmd.exe 89 PID 1504 wrote to memory of 1180 1504 cmd.exe 91 PID 1504 wrote to memory of 1180 1504 cmd.exe 91 PID 1504 wrote to memory of 3632 1504 cmd.exe 92 PID 1504 wrote to memory of 3632 1504 cmd.exe 92 PID 3632 wrote to memory of 3408 3632 cmd.exe 93 PID 3632 wrote to memory of 3408 3632 cmd.exe 93 PID 3632 wrote to memory of 3388 3632 cmd.exe 94 PID 3632 wrote to memory of 3388 3632 cmd.exe 94 PID 1504 wrote to memory of 2200 1504 cmd.exe 95 PID 1504 wrote to memory of 2200 1504 cmd.exe 95 PID 1504 wrote to memory of 2084 1504 cmd.exe 96 PID 1504 wrote to memory of 2084 1504 cmd.exe 96 PID 1504 wrote to memory of 2628 1504 cmd.exe 97 PID 1504 wrote to memory of 2628 1504 cmd.exe 97 PID 1504 wrote to memory of 892 1504 cmd.exe 98 PID 1504 wrote to memory of 892 1504 cmd.exe 98 PID 1504 wrote to memory of 1456 1504 cmd.exe 99 PID 1504 wrote to memory of 1456 1504 cmd.exe 99 PID 1456 wrote to memory of 656 1456 cmd.exe 100 PID 1456 wrote to memory of 656 1456 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\release\data\macchanger.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:788
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:2012
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:1824
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:3772
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 96F9E71241E6 /f2⤵PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:3388
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:2200
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:2084
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:2628
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:656
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵PID:2220
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:4212