Analysis
-
max time kernel
3s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
proxy's woofer/HWID Checker.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
proxy's woofer/HWID Checker.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
proxy's woofer/Proxy's Spoofer V2.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
proxy's woofer/Proxy's Spoofer V2.exe
Resource
win10v2004-20241007-en
General
-
Target
proxy's woofer/HWID Checker.bat
-
Size
1KB
-
MD5
b4ed08e55abc091d58a99bfcef1cffa2
-
SHA1
6bda510a1b877ca337c4653143d5de7316a502ca
-
SHA256
6351f92bd290ad479d1746f1083fa52bd75df3e7b4046694688ac9b4fd13f803
-
SHA512
888dd221195599042a1d5c12574137c66099c3610afee268886cdf0fd6568758cb2c06533f8e09c6be1266e0a4f1df3ede861f51e3bfa0dfd15bf57a566fb0a2
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
pid Process 2788 timeout.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe Token: SeSecurityPrivilege 2548 WMIC.exe Token: SeTakeOwnershipPrivilege 2548 WMIC.exe Token: SeLoadDriverPrivilege 2548 WMIC.exe Token: SeSystemProfilePrivilege 2548 WMIC.exe Token: SeSystemtimePrivilege 2548 WMIC.exe Token: SeProfSingleProcessPrivilege 2548 WMIC.exe Token: SeIncBasePriorityPrivilege 2548 WMIC.exe Token: SeCreatePagefilePrivilege 2548 WMIC.exe Token: SeBackupPrivilege 2548 WMIC.exe Token: SeRestorePrivilege 2548 WMIC.exe Token: SeShutdownPrivilege 2548 WMIC.exe Token: SeDebugPrivilege 2548 WMIC.exe Token: SeSystemEnvironmentPrivilege 2548 WMIC.exe Token: SeRemoteShutdownPrivilege 2548 WMIC.exe Token: SeUndockPrivilege 2548 WMIC.exe Token: SeManageVolumePrivilege 2548 WMIC.exe Token: 33 2548 WMIC.exe Token: 34 2548 WMIC.exe Token: 35 2548 WMIC.exe Token: SeIncreaseQuotaPrivilege 2548 WMIC.exe Token: SeSecurityPrivilege 2548 WMIC.exe Token: SeTakeOwnershipPrivilege 2548 WMIC.exe Token: SeLoadDriverPrivilege 2548 WMIC.exe Token: SeSystemProfilePrivilege 2548 WMIC.exe Token: SeSystemtimePrivilege 2548 WMIC.exe Token: SeProfSingleProcessPrivilege 2548 WMIC.exe Token: SeIncBasePriorityPrivilege 2548 WMIC.exe Token: SeCreatePagefilePrivilege 2548 WMIC.exe Token: SeBackupPrivilege 2548 WMIC.exe Token: SeRestorePrivilege 2548 WMIC.exe Token: SeShutdownPrivilege 2548 WMIC.exe Token: SeDebugPrivilege 2548 WMIC.exe Token: SeSystemEnvironmentPrivilege 2548 WMIC.exe Token: SeRemoteShutdownPrivilege 2548 WMIC.exe Token: SeUndockPrivilege 2548 WMIC.exe Token: SeManageVolumePrivilege 2548 WMIC.exe Token: 33 2548 WMIC.exe Token: 34 2548 WMIC.exe Token: 35 2548 WMIC.exe Token: SeIncreaseQuotaPrivilege 2432 WMIC.exe Token: SeSecurityPrivilege 2432 WMIC.exe Token: SeTakeOwnershipPrivilege 2432 WMIC.exe Token: SeLoadDriverPrivilege 2432 WMIC.exe Token: SeSystemProfilePrivilege 2432 WMIC.exe Token: SeSystemtimePrivilege 2432 WMIC.exe Token: SeProfSingleProcessPrivilege 2432 WMIC.exe Token: SeIncBasePriorityPrivilege 2432 WMIC.exe Token: SeCreatePagefilePrivilege 2432 WMIC.exe Token: SeBackupPrivilege 2432 WMIC.exe Token: SeRestorePrivilege 2432 WMIC.exe Token: SeShutdownPrivilege 2432 WMIC.exe Token: SeDebugPrivilege 2432 WMIC.exe Token: SeSystemEnvironmentPrivilege 2432 WMIC.exe Token: SeRemoteShutdownPrivilege 2432 WMIC.exe Token: SeUndockPrivilege 2432 WMIC.exe Token: SeManageVolumePrivilege 2432 WMIC.exe Token: 33 2432 WMIC.exe Token: 34 2432 WMIC.exe Token: 35 2432 WMIC.exe Token: SeIncreaseQuotaPrivilege 2432 WMIC.exe Token: SeSecurityPrivilege 2432 WMIC.exe Token: SeTakeOwnershipPrivilege 2432 WMIC.exe Token: SeLoadDriverPrivilege 2432 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 524 wrote to memory of 2548 524 cmd.exe 32 PID 524 wrote to memory of 2548 524 cmd.exe 32 PID 524 wrote to memory of 2548 524 cmd.exe 32 PID 524 wrote to memory of 2432 524 cmd.exe 34 PID 524 wrote to memory of 2432 524 cmd.exe 34 PID 524 wrote to memory of 2432 524 cmd.exe 34 PID 524 wrote to memory of 2724 524 cmd.exe 35 PID 524 wrote to memory of 2724 524 cmd.exe 35 PID 524 wrote to memory of 2724 524 cmd.exe 35 PID 524 wrote to memory of 2900 524 cmd.exe 36 PID 524 wrote to memory of 2900 524 cmd.exe 36 PID 524 wrote to memory of 2900 524 cmd.exe 36 PID 524 wrote to memory of 2192 524 cmd.exe 37 PID 524 wrote to memory of 2192 524 cmd.exe 37 PID 524 wrote to memory of 2192 524 cmd.exe 37 PID 524 wrote to memory of 2736 524 cmd.exe 38 PID 524 wrote to memory of 2736 524 cmd.exe 38 PID 524 wrote to memory of 2736 524 cmd.exe 38 PID 524 wrote to memory of 2788 524 cmd.exe 40 PID 524 wrote to memory of 2788 524 cmd.exe 40 PID 524 wrote to memory of 2788 524 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\proxy's woofer\HWID Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber, manufacturer2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber, manufacturer2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber, manufacturer2⤵PID:2724
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId, manufacturer2⤵PID:2900
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid, IdentifyingNumber2⤵PID:2192
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:2736
-
-
C:\Windows\system32\timeout.exetimeout /t -012⤵
- Delays execution with timeout.exe
PID:2788
-