Resubmissions
05/09/2024, 22:37
240905-2j5w4asgkd 805/09/2024, 22:36
240905-2jlhfssfrc 805/09/2024, 22:33
240905-2gxspssbmr 8Analysis
-
max time kernel
420s -
max time network
1144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
RUN AS ADMIN TO SPOOF.bat
Resource
win7-20240729-en
windows7-x64
6 signatures
1800 seconds
Behavioral task
behavioral2
Sample
RUN AS ADMIN TO SPOOF.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
1800 seconds
Behavioral task
behavioral3
Sample
Win32K.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
1800 seconds
General
-
Target
RUN AS ADMIN TO SPOOF.bat
-
Size
1KB
-
MD5
8a9849441d8d4558339e98021b7be04c
-
SHA1
24ac30df4477d55d3f02910fe7df4bf5c912ca3d
-
SHA256
0fdbbfa21b02232eb1dc2882bccdffd966d046aac95e6fa8a20ce7470173097f
-
SHA512
b48cb72b4bb81a95bf29f8211d98e6aeb65f83b8a3a1a21b70c9392e83fcb27f6b5eb799934590f0d22a6f2fd6449faa9249c2a65ab179258d6aa594c01401ba
Score
8/10
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4356 sc.exe 3820 sc.exe 2696 sc.exe -
Kills process with taskkill 1 IoCs
pid Process 1808 taskkill.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4764 WMIC.exe Token: SeSecurityPrivilege 4764 WMIC.exe Token: SeTakeOwnershipPrivilege 4764 WMIC.exe Token: SeLoadDriverPrivilege 4764 WMIC.exe Token: SeSystemProfilePrivilege 4764 WMIC.exe Token: SeSystemtimePrivilege 4764 WMIC.exe Token: SeProfSingleProcessPrivilege 4764 WMIC.exe Token: SeIncBasePriorityPrivilege 4764 WMIC.exe Token: SeCreatePagefilePrivilege 4764 WMIC.exe Token: SeBackupPrivilege 4764 WMIC.exe Token: SeRestorePrivilege 4764 WMIC.exe Token: SeShutdownPrivilege 4764 WMIC.exe Token: SeDebugPrivilege 4764 WMIC.exe Token: SeSystemEnvironmentPrivilege 4764 WMIC.exe Token: SeRemoteShutdownPrivilege 4764 WMIC.exe Token: SeUndockPrivilege 4764 WMIC.exe Token: SeManageVolumePrivilege 4764 WMIC.exe Token: 33 4764 WMIC.exe Token: 34 4764 WMIC.exe Token: 35 4764 WMIC.exe Token: 36 4764 WMIC.exe Token: SeIncreaseQuotaPrivilege 4764 WMIC.exe Token: SeSecurityPrivilege 4764 WMIC.exe Token: SeTakeOwnershipPrivilege 4764 WMIC.exe Token: SeLoadDriverPrivilege 4764 WMIC.exe Token: SeSystemProfilePrivilege 4764 WMIC.exe Token: SeSystemtimePrivilege 4764 WMIC.exe Token: SeProfSingleProcessPrivilege 4764 WMIC.exe Token: SeIncBasePriorityPrivilege 4764 WMIC.exe Token: SeCreatePagefilePrivilege 4764 WMIC.exe Token: SeBackupPrivilege 4764 WMIC.exe Token: SeRestorePrivilege 4764 WMIC.exe Token: SeShutdownPrivilege 4764 WMIC.exe Token: SeDebugPrivilege 4764 WMIC.exe Token: SeSystemEnvironmentPrivilege 4764 WMIC.exe Token: SeRemoteShutdownPrivilege 4764 WMIC.exe Token: SeUndockPrivilege 4764 WMIC.exe Token: SeManageVolumePrivilege 4764 WMIC.exe Token: 33 4764 WMIC.exe Token: 34 4764 WMIC.exe Token: 35 4764 WMIC.exe Token: 36 4764 WMIC.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeIncreaseQuotaPrivilege 3284 WMIC.exe Token: SeSecurityPrivilege 3284 WMIC.exe Token: SeTakeOwnershipPrivilege 3284 WMIC.exe Token: SeLoadDriverPrivilege 3284 WMIC.exe Token: SeSystemProfilePrivilege 3284 WMIC.exe Token: SeSystemtimePrivilege 3284 WMIC.exe Token: SeProfSingleProcessPrivilege 3284 WMIC.exe Token: SeIncBasePriorityPrivilege 3284 WMIC.exe Token: SeCreatePagefilePrivilege 3284 WMIC.exe Token: SeBackupPrivilege 3284 WMIC.exe Token: SeRestorePrivilege 3284 WMIC.exe Token: SeShutdownPrivilege 3284 WMIC.exe Token: SeDebugPrivilege 3284 WMIC.exe Token: SeSystemEnvironmentPrivilege 3284 WMIC.exe Token: SeRemoteShutdownPrivilege 3284 WMIC.exe Token: SeUndockPrivilege 3284 WMIC.exe Token: SeManageVolumePrivilege 3284 WMIC.exe Token: 33 3284 WMIC.exe Token: 34 3284 WMIC.exe Token: 35 3284 WMIC.exe Token: 36 3284 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1244 wrote to memory of 4764 1244 cmd.exe 86 PID 1244 wrote to memory of 4764 1244 cmd.exe 86 PID 1244 wrote to memory of 4600 1244 cmd.exe 88 PID 1244 wrote to memory of 4600 1244 cmd.exe 88 PID 1244 wrote to memory of 4356 1244 cmd.exe 89 PID 1244 wrote to memory of 4356 1244 cmd.exe 89 PID 1244 wrote to memory of 2696 1244 cmd.exe 90 PID 1244 wrote to memory of 2696 1244 cmd.exe 90 PID 1244 wrote to memory of 3820 1244 cmd.exe 91 PID 1244 wrote to memory of 3820 1244 cmd.exe 91 PID 1244 wrote to memory of 1808 1244 cmd.exe 92 PID 1244 wrote to memory of 1808 1244 cmd.exe 92 PID 1244 wrote to memory of 3284 1244 cmd.exe 93 PID 1244 wrote to memory of 3284 1244 cmd.exe 93 PID 1244 wrote to memory of 2112 1244 cmd.exe 96 PID 1244 wrote to memory of 2112 1244 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RUN AS ADMIN TO SPOOF.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:4600
-
-
C:\Windows\system32\sc.exesc delete Win32KSys2⤵
- Launches sc.exe
PID:4356
-
-
C:\Windows\system32\sc.exesc create Win32KSys type=kernel error=ignore binpath="C:\Windows\System32\Drivers\Win32K.sys" start=auto2⤵
- Launches sc.exe
PID:2696
-
-
C:\Windows\system32\sc.exesc start Win32KSys2⤵
- Launches sc.exe
PID:3820
-
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrvSE.exe /f /t2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get pluh2⤵PID:2112
-