Overview
overview
9Static
static
7unban/1/1.exe
windows7-x64
9unban/1/1.exe
windows10-2004-x64
9unban/2/2.exe
windows7-x64
3unban/2/2.exe
windows10-2004-x64
3unban/3/3.exe
windows7-x64
6unban/3/3.exe
windows10-2004-x64
6unban/4/4.bat
windows7-x64
7unban/4/4.bat
windows10-2004-x64
1unban/5/Re...er.lnk
windows7-x64
3unban/5/Re...er.lnk
windows10-2004-x64
3unban/6/!!...!!.bat
windows7-x64
8unban/6/!!...!!.bat
windows10-2004-x64
8unban/6/AM...64.exe
windows7-x64
1unban/6/AM...64.exe
windows10-2004-x64
1unban/6/am...64.sys
windows7-x64
1unban/6/am...64.sys
windows10-2004-x64
1unban/6/am...64.sys
windows10-2004-x64
1unban/9/Se...er.bat
windows7-x64
1unban/9/Se...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 13:32
Behavioral task
behavioral1
Sample
unban/1/1.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
unban/1/1.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
unban/2/2.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
unban/2/2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
unban/3/3.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
unban/3/3.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
unban/4/4.bat
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
unban/4/4.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
unban/5/Revo Uninstaller.lnk
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
unban/5/Revo Uninstaller.lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
unban/6/!!!!RUNME!!!!!.bat
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
unban/6/!!!!RUNME!!!!!.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
unban/6/AMIDEWINx64.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
unban/6/AMIDEWINx64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
unban/6/amifldrv64.sys
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral16
Sample
unban/6/amifldrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
unban/6/amigendrv64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
unban/9/SerialsChecker.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral19
Sample
unban/9/SerialsChecker.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
unban/9/SerialsChecker.bat
-
Size
573B
-
MD5
6a896cfd61884e9b42f78b270e5c22cf
-
SHA1
f228f1b281724015b9460969381af9a1afe06046
-
SHA256
5cd676d9bc7e707ad7e8dc48dabf9af733c81d1b836486ff5eb9d44cba788e46
-
SHA512
17982e060867e323fe83908b4735f44e5fc8353608c50f3c6e9ee5c3b97643045d764f21eb402b9b3fbee0e19669391b6eab6dc0bf28e92bb1fb4a898a668eb9
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1076 WMIC.exe Token: SeSecurityPrivilege 1076 WMIC.exe Token: SeTakeOwnershipPrivilege 1076 WMIC.exe Token: SeLoadDriverPrivilege 1076 WMIC.exe Token: SeSystemProfilePrivilege 1076 WMIC.exe Token: SeSystemtimePrivilege 1076 WMIC.exe Token: SeProfSingleProcessPrivilege 1076 WMIC.exe Token: SeIncBasePriorityPrivilege 1076 WMIC.exe Token: SeCreatePagefilePrivilege 1076 WMIC.exe Token: SeBackupPrivilege 1076 WMIC.exe Token: SeRestorePrivilege 1076 WMIC.exe Token: SeShutdownPrivilege 1076 WMIC.exe Token: SeDebugPrivilege 1076 WMIC.exe Token: SeSystemEnvironmentPrivilege 1076 WMIC.exe Token: SeRemoteShutdownPrivilege 1076 WMIC.exe Token: SeUndockPrivilege 1076 WMIC.exe Token: SeManageVolumePrivilege 1076 WMIC.exe Token: 33 1076 WMIC.exe Token: 34 1076 WMIC.exe Token: 35 1076 WMIC.exe Token: SeIncreaseQuotaPrivilege 1076 WMIC.exe Token: SeSecurityPrivilege 1076 WMIC.exe Token: SeTakeOwnershipPrivilege 1076 WMIC.exe Token: SeLoadDriverPrivilege 1076 WMIC.exe Token: SeSystemProfilePrivilege 1076 WMIC.exe Token: SeSystemtimePrivilege 1076 WMIC.exe Token: SeProfSingleProcessPrivilege 1076 WMIC.exe Token: SeIncBasePriorityPrivilege 1076 WMIC.exe Token: SeCreatePagefilePrivilege 1076 WMIC.exe Token: SeBackupPrivilege 1076 WMIC.exe Token: SeRestorePrivilege 1076 WMIC.exe Token: SeShutdownPrivilege 1076 WMIC.exe Token: SeDebugPrivilege 1076 WMIC.exe Token: SeSystemEnvironmentPrivilege 1076 WMIC.exe Token: SeRemoteShutdownPrivilege 1076 WMIC.exe Token: SeUndockPrivilege 1076 WMIC.exe Token: SeManageVolumePrivilege 1076 WMIC.exe Token: 33 1076 WMIC.exe Token: 34 1076 WMIC.exe Token: 35 1076 WMIC.exe Token: SeIncreaseQuotaPrivilege 1812 WMIC.exe Token: SeSecurityPrivilege 1812 WMIC.exe Token: SeTakeOwnershipPrivilege 1812 WMIC.exe Token: SeLoadDriverPrivilege 1812 WMIC.exe Token: SeSystemProfilePrivilege 1812 WMIC.exe Token: SeSystemtimePrivilege 1812 WMIC.exe Token: SeProfSingleProcessPrivilege 1812 WMIC.exe Token: SeIncBasePriorityPrivilege 1812 WMIC.exe Token: SeCreatePagefilePrivilege 1812 WMIC.exe Token: SeBackupPrivilege 1812 WMIC.exe Token: SeRestorePrivilege 1812 WMIC.exe Token: SeShutdownPrivilege 1812 WMIC.exe Token: SeDebugPrivilege 1812 WMIC.exe Token: SeSystemEnvironmentPrivilege 1812 WMIC.exe Token: SeRemoteShutdownPrivilege 1812 WMIC.exe Token: SeUndockPrivilege 1812 WMIC.exe Token: SeManageVolumePrivilege 1812 WMIC.exe Token: 33 1812 WMIC.exe Token: 34 1812 WMIC.exe Token: 35 1812 WMIC.exe Token: SeIncreaseQuotaPrivilege 1812 WMIC.exe Token: SeSecurityPrivilege 1812 WMIC.exe Token: SeTakeOwnershipPrivilege 1812 WMIC.exe Token: SeLoadDriverPrivilege 1812 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2400 2116 cmd.exe 31 PID 2116 wrote to memory of 2400 2116 cmd.exe 31 PID 2116 wrote to memory of 2400 2116 cmd.exe 31 PID 2116 wrote to memory of 1076 2116 cmd.exe 32 PID 2116 wrote to memory of 1076 2116 cmd.exe 32 PID 2116 wrote to memory of 1076 2116 cmd.exe 32 PID 2116 wrote to memory of 1812 2116 cmd.exe 34 PID 2116 wrote to memory of 1812 2116 cmd.exe 34 PID 2116 wrote to memory of 1812 2116 cmd.exe 34 PID 2116 wrote to memory of 2432 2116 cmd.exe 35 PID 2116 wrote to memory of 2432 2116 cmd.exe 35 PID 2116 wrote to memory of 2432 2116 cmd.exe 35 PID 2116 wrote to memory of 2744 2116 cmd.exe 36 PID 2116 wrote to memory of 2744 2116 cmd.exe 36 PID 2116 wrote to memory of 2744 2116 cmd.exe 36 PID 2116 wrote to memory of 2832 2116 cmd.exe 37 PID 2116 wrote to memory of 2832 2116 cmd.exe 37 PID 2116 wrote to memory of 2832 2116 cmd.exe 37 PID 2116 wrote to memory of 2728 2116 cmd.exe 38 PID 2116 wrote to memory of 2728 2116 cmd.exe 38 PID 2116 wrote to memory of 2728 2116 cmd.exe 38 PID 2116 wrote to memory of 2880 2116 cmd.exe 39 PID 2116 wrote to memory of 2880 2116 cmd.exe 39 PID 2116 wrote to memory of 2880 2116 cmd.exe 39 PID 2116 wrote to memory of 2912 2116 cmd.exe 40 PID 2116 wrote to memory of 2912 2116 cmd.exe 40 PID 2116 wrote to memory of 2912 2116 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\unban\9\SerialsChecker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\mode.commode con: cols=70 lines=352⤵PID:2400
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵PID:2432
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid2⤵PID:2744
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2832
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2728
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer2⤵PID:2880
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:2912
-