4ee66020bf8fd5606f1fa1835a6c2328aab1556035e44a2de60b87c8f8571375

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

serial_checker.bat
Size

1KB
MD5

efa2cd30989448f5690130b07ccce86a
SHA1

0c3203f67c67cf63d39894a0577f20d5dc1427e8
SHA256

86710039b7414ff861ca629c839e89eb5eaf74cff86129734c575e5716c1a552
SHA512

c2f7dfb10f311ba6684651ca4e8aee8408e5abf6c2f564ce2764c0bac8df07da0b742bedff992d2ff9f6b00a1d6b1423d09390653c0fd0d47303984183db358e

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: 36	1868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: 36	1868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 468	552	cmd.exe	83
PID 552 wrote to memory of 468	552	cmd.exe	83
PID 552 wrote to memory of 1868	552	cmd.exe	84
PID 552 wrote to memory of 1868	552	cmd.exe	84
PID 552 wrote to memory of 2088	552	cmd.exe	85
PID 552 wrote to memory of 2088	552	cmd.exe	85
PID 552 wrote to memory of 2496	552	cmd.exe	87
PID 552 wrote to memory of 2496	552	cmd.exe	87
PID 552 wrote to memory of 4816	552	cmd.exe	88
PID 552 wrote to memory of 4816	552	cmd.exe	88
PID 552 wrote to memory of 5044	552	cmd.exe	89
PID 552 wrote to memory of 5044	552	cmd.exe	89
PID 552 wrote to memory of 1576	552	cmd.exe	90
PID 552 wrote to memory of 1576	552	cmd.exe	90
PID 552 wrote to memory of 1280	552	cmd.exe	91
PID 552 wrote to memory of 1280	552	cmd.exe	91
PID 552 wrote to memory of 3500	552	cmd.exe	92
PID 552 wrote to memory of 3500	552	cmd.exe	92
PID 552 wrote to memory of 4308	552	cmd.exe	93
PID 552 wrote to memory of 4308	552	cmd.exe	93
PID 552 wrote to memory of 3372	552	cmd.exe	94
PID 552 wrote to memory of 3372	552	cmd.exe	94
PID 552 wrote to memory of 628	552	cmd.exe	95
PID 552 wrote to memory of 628	552	cmd.exe	95
PID 552 wrote to memory of 4064	552	cmd.exe	96
PID 552 wrote to memory of 4064	552	cmd.exe	96
PID 552 wrote to memory of 3252	552	cmd.exe	97
PID 552 wrote to memory of 3252	552	cmd.exe	97
PID 552 wrote to memory of 3404	552	cmd.exe	98
PID 552 wrote to memory of 3404	552	cmd.exe	98
PID 552 wrote to memory of 1988	552	cmd.exe	99
PID 552 wrote to memory of 1988	552	cmd.exe	99
PID 552 wrote to memory of 2748	552	cmd.exe	100
PID 552 wrote to memory of 2748	552	cmd.exe	100
PID 552 wrote to memory of 2984	552	cmd.exe	101
PID 552 wrote to memory of 2984	552	cmd.exe	101
PID 552 wrote to memory of 2844	552	cmd.exe	102
PID 552 wrote to memory of 2844	552	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\mode.com
  MODE 93, 62
  2⤵
  PID:468
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:4816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:5044
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1576
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:1280
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:3500
- C:\Windows\System32\Wbem\WMIC.exe
  wmic systemenclosure get serialnumber
  2⤵
  PID:4308
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:3372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:628
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:4064
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description, PNPDeviceID
  2⤵
  PID:3252
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:3404
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:1988
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2748
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:2984
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2844

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads