d3a307d6c9237b888e40f7ed3a3b590eefc1f9f9739740b03de99c1da56753c2

Analysis

max time kernel
122s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ALL GPUS OPTIMIZATION.bat
Size

2KB
MD5

a09f76a266b349793e29ccb207d4d59e
SHA1

7575cd79d84ecdfc3c7b6e3fc6af2744f3f14216
SHA256

5f08b72501a5ddd244b36c5d1a6c02e3c7555685d41fcbdae44932bc743092c8
SHA512

7cbf6ebcc30d7524c116b6a7e345dcc846279bf07f80e43a05134ef7ef7ac4e8eba3289eb6764ad659358072b81ea9fb3bc5dc5c09e71e3b10b68a550876d0fd

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 35 IoCs

evasion

pid	Process
1068	timeout.exe
1552	timeout.exe
3660	timeout.exe
4596	timeout.exe
1940	timeout.exe
4536	timeout.exe
3440	timeout.exe
1512	timeout.exe
3836	timeout.exe
1952	timeout.exe
4500	timeout.exe
3128	timeout.exe
4304	timeout.exe
1060	timeout.exe
3444	timeout.exe
1040	timeout.exe
1808	timeout.exe
2456	timeout.exe
2448	timeout.exe
3324	timeout.exe
4388	timeout.exe
4616	timeout.exe
4052	timeout.exe
4292	timeout.exe
3364	timeout.exe
4260	timeout.exe
3152	timeout.exe
4132	timeout.exe
2024	timeout.exe
2988	timeout.exe
2736	timeout.exe
3492	timeout.exe
1912	timeout.exe
4836	timeout.exe
1844	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4808	WMIC.exe
4608	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3076	WMIC.exe
Token: SeSecurityPrivilege	3076	WMIC.exe
Token: SeTakeOwnershipPrivilege	3076	WMIC.exe
Token: SeLoadDriverPrivilege	3076	WMIC.exe
Token: SeSystemProfilePrivilege	3076	WMIC.exe
Token: SeSystemtimePrivilege	3076	WMIC.exe
Token: SeProfSingleProcessPrivilege	3076	WMIC.exe
Token: SeIncBasePriorityPrivilege	3076	WMIC.exe
Token: SeCreatePagefilePrivilege	3076	WMIC.exe
Token: SeBackupPrivilege	3076	WMIC.exe
Token: SeRestorePrivilege	3076	WMIC.exe
Token: SeShutdownPrivilege	3076	WMIC.exe
Token: SeDebugPrivilege	3076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3076	WMIC.exe
Token: SeRemoteShutdownPrivilege	3076	WMIC.exe
Token: SeUndockPrivilege	3076	WMIC.exe
Token: SeManageVolumePrivilege	3076	WMIC.exe
Token: 33	3076	WMIC.exe
Token: 34	3076	WMIC.exe
Token: 35	3076	WMIC.exe
Token: 36	3076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3076	WMIC.exe
Token: SeSecurityPrivilege	3076	WMIC.exe
Token: SeTakeOwnershipPrivilege	3076	WMIC.exe
Token: SeLoadDriverPrivilege	3076	WMIC.exe
Token: SeSystemProfilePrivilege	3076	WMIC.exe
Token: SeSystemtimePrivilege	3076	WMIC.exe
Token: SeProfSingleProcessPrivilege	3076	WMIC.exe
Token: SeIncBasePriorityPrivilege	3076	WMIC.exe
Token: SeCreatePagefilePrivilege	3076	WMIC.exe
Token: SeBackupPrivilege	3076	WMIC.exe
Token: SeRestorePrivilege	3076	WMIC.exe
Token: SeShutdownPrivilege	3076	WMIC.exe
Token: SeDebugPrivilege	3076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3076	WMIC.exe
Token: SeRemoteShutdownPrivilege	3076	WMIC.exe
Token: SeUndockPrivilege	3076	WMIC.exe
Token: SeManageVolumePrivilege	3076	WMIC.exe
Token: 33	3076	WMIC.exe
Token: 34	3076	WMIC.exe
Token: 35	3076	WMIC.exe
Token: 36	3076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe
Token: SeSecurityPrivilege	4808	WMIC.exe
Token: SeTakeOwnershipPrivilege	4808	WMIC.exe
Token: SeLoadDriverPrivilege	4808	WMIC.exe
Token: SeSystemProfilePrivilege	4808	WMIC.exe
Token: SeSystemtimePrivilege	4808	WMIC.exe
Token: SeProfSingleProcessPrivilege	4808	WMIC.exe
Token: SeIncBasePriorityPrivilege	4808	WMIC.exe
Token: SeCreatePagefilePrivilege	4808	WMIC.exe
Token: SeBackupPrivilege	4808	WMIC.exe
Token: SeRestorePrivilege	4808	WMIC.exe
Token: SeShutdownPrivilege	4808	WMIC.exe
Token: SeDebugPrivilege	4808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4808	WMIC.exe
Token: SeRemoteShutdownPrivilege	4808	WMIC.exe
Token: SeUndockPrivilege	4808	WMIC.exe
Token: SeManageVolumePrivilege	4808	WMIC.exe
Token: 33	4808	WMIC.exe
Token: 34	4808	WMIC.exe
Token: 35	4808	WMIC.exe
Token: 36	4808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4808	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1624	5072	cmd.exe	80
PID 5072 wrote to memory of 1624	5072	cmd.exe	80
PID 5072 wrote to memory of 556	5072	cmd.exe	81
PID 5072 wrote to memory of 556	5072	cmd.exe	81
PID 556 wrote to memory of 3076	556	cmd.exe	82
PID 556 wrote to memory of 3076	556	cmd.exe	82
PID 5072 wrote to memory of 4936	5072	cmd.exe	84
PID 5072 wrote to memory of 4936	5072	cmd.exe	84
PID 4936 wrote to memory of 4808	4936	cmd.exe	85
PID 4936 wrote to memory of 4808	4936	cmd.exe	85
PID 5072 wrote to memory of 3488	5072	cmd.exe	86
PID 5072 wrote to memory of 3488	5072	cmd.exe	86
PID 3488 wrote to memory of 4724	3488	cmd.exe	87
PID 3488 wrote to memory of 4724	3488	cmd.exe	87
PID 5072 wrote to memory of 2916	5072	cmd.exe	88
PID 5072 wrote to memory of 2916	5072	cmd.exe	88
PID 2916 wrote to memory of 3788	2916	cmd.exe	89
PID 2916 wrote to memory of 3788	2916	cmd.exe	89
PID 5072 wrote to memory of 5056	5072	cmd.exe	91
PID 5072 wrote to memory of 5056	5072	cmd.exe	91
PID 5072 wrote to memory of 3676	5072	cmd.exe	92
PID 5072 wrote to memory of 3676	5072	cmd.exe	92
PID 5072 wrote to memory of 2820	5072	cmd.exe	93
PID 5072 wrote to memory of 2820	5072	cmd.exe	93
PID 5072 wrote to memory of 776	5072	cmd.exe	94
PID 5072 wrote to memory of 776	5072	cmd.exe	94
PID 5072 wrote to memory of 3824	5072	cmd.exe	95
PID 5072 wrote to memory of 3824	5072	cmd.exe	95
PID 5072 wrote to memory of 1020	5072	cmd.exe	96
PID 5072 wrote to memory of 1020	5072	cmd.exe	96
PID 5072 wrote to memory of 1480	5072	cmd.exe	97
PID 5072 wrote to memory of 1480	5072	cmd.exe	97
PID 1480 wrote to memory of 1628	1480	cmd.exe	98
PID 1480 wrote to memory of 1628	1480	cmd.exe	98
PID 1480 wrote to memory of 2488	1480	cmd.exe	99
PID 1480 wrote to memory of 2488	1480	cmd.exe	99
PID 5072 wrote to memory of 1552	5072	cmd.exe	100
PID 5072 wrote to memory of 1552	5072	cmd.exe	100
PID 5072 wrote to memory of 3660	5072	cmd.exe	101
PID 5072 wrote to memory of 3660	5072	cmd.exe	101
PID 5072 wrote to memory of 1060	5072	cmd.exe	102
PID 5072 wrote to memory of 1060	5072	cmd.exe	102
PID 5072 wrote to memory of 4596	5072	cmd.exe	103
PID 5072 wrote to memory of 4596	5072	cmd.exe	103
PID 5072 wrote to memory of 4132	5072	cmd.exe	104
PID 5072 wrote to memory of 4132	5072	cmd.exe	104
PID 5072 wrote to memory of 3836	5072	cmd.exe	105
PID 5072 wrote to memory of 3836	5072	cmd.exe	105
PID 5072 wrote to memory of 2736	5072	cmd.exe	106
PID 5072 wrote to memory of 2736	5072	cmd.exe	106
PID 5072 wrote to memory of 4388	5072	cmd.exe	107
PID 5072 wrote to memory of 4388	5072	cmd.exe	107
PID 5072 wrote to memory of 2024	5072	cmd.exe	108
PID 5072 wrote to memory of 2024	5072	cmd.exe	108
PID 5072 wrote to memory of 1952	5072	cmd.exe	109
PID 5072 wrote to memory of 1952	5072	cmd.exe	109
PID 5072 wrote to memory of 2988	5072	cmd.exe	110
PID 5072 wrote to memory of 2988	5072	cmd.exe	110
PID 5072 wrote to memory of 1940	5072	cmd.exe	111
PID 5072 wrote to memory of 1940	5072	cmd.exe	111
PID 5072 wrote to memory of 3492	5072	cmd.exe	112
PID 5072 wrote to memory of 3492	5072	cmd.exe	112
PID 5072 wrote to memory of 4260	5072	cmd.exe	113
PID 5072 wrote to memory of 4260	5072	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ALL GPUS OPTIMIZATION.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\mode.com
  mode 85,10
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get name /format: value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name /format: value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name /format: value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name /format: value
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController GET adapterram /format: value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController GET adapterram /format: value
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController GET DriverVersion /format: value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController GET DriverVersion /format: value
    3⤵
    PID:3788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\amdkmdap\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Intel\GMM" /v "DedicatedSegmentSize" /t REG_DWORD /d "00000512" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v "ThreadPriority" /t REG_DWORD /d "31" /f
  2⤵
  PID:2820
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:776
- C:\Windows\system32\mode.com
  mode 70,6
  2⤵
  PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy/Z "C:\Users\Admin\AppData\Local\Temp\ALL GPUS OPTIMIZATION.bat" nul
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $H|cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $H"
    3⤵
    PID:1628
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2488
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1552
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3660
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1060
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4596
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4132
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3836
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:2736
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4388
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:2024
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1952
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:2988
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1940
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3492
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4260
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4500
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1808
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3128
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4616
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1912
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4836
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1844
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:2456
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3444
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4536
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4052
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3440
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1512
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:2448
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3324
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1068
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4304
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:4292
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3152
- C:\Windows\system32\timeout.exe
  timeout.exe 1
  2⤵
  - Delays execution with timeout.exe
  PID:3364
- C:\Windows\system32\mode.com
  mode 85,10
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get name /format: value
  2⤵
  PID:3104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name /format: value
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name /format: value
  2⤵
  PID:3680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name /format: value
    3⤵
    - Detects videocard installed
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController GET adapterram /format: value
  2⤵
  PID:3456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController GET adapterram /format: value
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController GET DriverVersion /format: value
  2⤵
  PID:4644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController GET DriverVersion /format: value
    3⤵
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads