af40a749954f12b5b0b40dfbc9b7490e2bba67b4de06cfc2a09042db34d6d27b

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/08/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROC.bat
Size

642B
MD5

f4550c022655c5532ac88468d636cd5d
SHA1

0eda224c007f4d7bba19ce18a7fd00eb0b9cdcde
SHA256

af40a749954f12b5b0b40dfbc9b7490e2bba67b4de06cfc2a09042db34d6d27b
SHA512

977f7f0f902fd17d14e502943749f89f238e03971ae77a7960864bbb5400133a2fdc8e9b4e641cd3272d64b77e9d935a06add477dacb75ec53de257bc2ba8db1

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeSecurityPrivilege	4996	WMIC.exe
Token: SeTakeOwnershipPrivilege	4996	WMIC.exe
Token: SeLoadDriverPrivilege	4996	WMIC.exe
Token: SeSystemProfilePrivilege	4996	WMIC.exe
Token: SeSystemtimePrivilege	4996	WMIC.exe
Token: SeProfSingleProcessPrivilege	4996	WMIC.exe
Token: SeIncBasePriorityPrivilege	4996	WMIC.exe
Token: SeCreatePagefilePrivilege	4996	WMIC.exe
Token: SeBackupPrivilege	4996	WMIC.exe
Token: SeRestorePrivilege	4996	WMIC.exe
Token: SeShutdownPrivilege	4996	WMIC.exe
Token: SeDebugPrivilege	4996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4996	WMIC.exe
Token: SeRemoteShutdownPrivilege	4996	WMIC.exe
Token: SeUndockPrivilege	4996	WMIC.exe
Token: SeManageVolumePrivilege	4996	WMIC.exe
Token: 33	4996	WMIC.exe
Token: 34	4996	WMIC.exe
Token: 35	4996	WMIC.exe
Token: 36	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4588	2324	cmd.exe	74
PID 2324 wrote to memory of 4588	2324	cmd.exe	74
PID 2324 wrote to memory of 5068	2324	cmd.exe	75
PID 2324 wrote to memory of 5068	2324	cmd.exe	75
PID 2324 wrote to memory of 4996	2324	cmd.exe	77
PID 2324 wrote to memory of 4996	2324	cmd.exe	77
PID 2324 wrote to memory of 96	2324	cmd.exe	78
PID 2324 wrote to memory of 96	2324	cmd.exe	78

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PROC.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4588
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\system32\findstr.exe
  findstr /C:"Intel Core Processor (Broadwell)"
  2⤵
  PID:96

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads