4ee66020bf8fd5606f1fa1835a6c2328aab1556035e44a2de60b87c8f8571375

Analysis

max time kernel
12s
max time network
16s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

serial_checker.bat
Size

1KB
MD5

efa2cd30989448f5690130b07ccce86a
SHA1

0c3203f67c67cf63d39894a0577f20d5dc1427e8
SHA256

86710039b7414ff861ca629c839e89eb5eaf74cff86129734c575e5716c1a552
SHA512

c2f7dfb10f311ba6684651ca4e8aee8408e5abf6c2f564ce2764c0bac8df07da0b742bedff992d2ff9f6b00a1d6b1423d09390653c0fd0d47303984183db358e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	Process
4364	WMIC.exe
4364	WMIC.exe
4364	WMIC.exe
4364	WMIC.exe
2716	WMIC.exe
2716	WMIC.exe
2716	WMIC.exe
2716	WMIC.exe
1668	WMIC.exe
1668	WMIC.exe
1668	WMIC.exe
1668	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
228	WMIC.exe
228	WMIC.exe
228	WMIC.exe
228	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
2948	WMIC.exe
4592	WMIC.exe
4592	WMIC.exe
4592	WMIC.exe
4592	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe
Token: 35	4364	WMIC.exe
Token: 36	4364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe
Token: 35	4364	WMIC.exe
Token: 36	4364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2716	WMIC.exe
Token: SeSecurityPrivilege	2716	WMIC.exe
Token: SeTakeOwnershipPrivilege	2716	WMIC.exe
Token: SeLoadDriverPrivilege	2716	WMIC.exe
Token: SeSystemProfilePrivilege	2716	WMIC.exe
Token: SeSystemtimePrivilege	2716	WMIC.exe
Token: SeProfSingleProcessPrivilege	2716	WMIC.exe
Token: SeIncBasePriorityPrivilege	2716	WMIC.exe
Token: SeCreatePagefilePrivilege	2716	WMIC.exe
Token: SeBackupPrivilege	2716	WMIC.exe
Token: SeRestorePrivilege	2716	WMIC.exe
Token: SeShutdownPrivilege	2716	WMIC.exe
Token: SeDebugPrivilege	2716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2716	WMIC.exe
Token: SeRemoteShutdownPrivilege	2716	WMIC.exe
Token: SeUndockPrivilege	2716	WMIC.exe
Token: SeManageVolumePrivilege	2716	WMIC.exe
Token: 33	2716	WMIC.exe
Token: 34	2716	WMIC.exe
Token: 35	2716	WMIC.exe
Token: 36	2716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2716	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 4448	1084	cmd.exe	81
PID 1084 wrote to memory of 4448	1084	cmd.exe	81
PID 1084 wrote to memory of 4364	1084	cmd.exe	82
PID 1084 wrote to memory of 4364	1084	cmd.exe	82
PID 1084 wrote to memory of 2060	1084	cmd.exe	83
PID 1084 wrote to memory of 2060	1084	cmd.exe	83
PID 1084 wrote to memory of 2716	1084	cmd.exe	85
PID 1084 wrote to memory of 2716	1084	cmd.exe	85
PID 1084 wrote to memory of 2176	1084	cmd.exe	86
PID 1084 wrote to memory of 2176	1084	cmd.exe	86
PID 1084 wrote to memory of 1668	1084	cmd.exe	87
PID 1084 wrote to memory of 1668	1084	cmd.exe	87
PID 1084 wrote to memory of 1420	1084	cmd.exe	88
PID 1084 wrote to memory of 1420	1084	cmd.exe	88
PID 1084 wrote to memory of 2372	1084	cmd.exe	89
PID 1084 wrote to memory of 2372	1084	cmd.exe	89
PID 1084 wrote to memory of 3248	1084	cmd.exe	90
PID 1084 wrote to memory of 3248	1084	cmd.exe	90
PID 1084 wrote to memory of 228	1084	cmd.exe	91
PID 1084 wrote to memory of 228	1084	cmd.exe	91
PID 1084 wrote to memory of 1088	1084	cmd.exe	92
PID 1084 wrote to memory of 1088	1084	cmd.exe	92
PID 1084 wrote to memory of 2948	1084	cmd.exe	93
PID 1084 wrote to memory of 2948	1084	cmd.exe	93
PID 1084 wrote to memory of 2708	1084	cmd.exe	94
PID 1084 wrote to memory of 2708	1084	cmd.exe	94
PID 1084 wrote to memory of 4592	1084	cmd.exe	95
PID 1084 wrote to memory of 4592	1084	cmd.exe	95
PID 1084 wrote to memory of 1884	1084	cmd.exe	96
PID 1084 wrote to memory of 1884	1084	cmd.exe	96
PID 1084 wrote to memory of 4652	1084	cmd.exe	97
PID 1084 wrote to memory of 4652	1084	cmd.exe	97
PID 1084 wrote to memory of 4664	1084	cmd.exe	98
PID 1084 wrote to memory of 4664	1084	cmd.exe	98
PID 1084 wrote to memory of 1076	1084	cmd.exe	99
PID 1084 wrote to memory of 1076	1084	cmd.exe	99
PID 1084 wrote to memory of 3740	1084	cmd.exe	100
PID 1084 wrote to memory of 3740	1084	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\mode.com
  MODE 93, 62
  2⤵
  PID:4448
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2060
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1420
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:3248
- C:\Windows\System32\Wbem\WMIC.exe
  wmic systemenclosure get serialnumber
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2708
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description, PNPDeviceID
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1884
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:4664
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:3740

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads