4ee66020bf8fd5606f1fa1835a6c2328aab1556035e44a2de60b87c8f8571375

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

serial_checker.bat
Size

1KB
MD5

efa2cd30989448f5690130b07ccce86a
SHA1

0c3203f67c67cf63d39894a0577f20d5dc1427e8
SHA256

86710039b7414ff861ca629c839e89eb5eaf74cff86129734c575e5716c1a552
SHA512

c2f7dfb10f311ba6684651ca4e8aee8408e5abf6c2f564ce2764c0bac8df07da0b742bedff992d2ff9f6b00a1d6b1423d09390653c0fd0d47303984183db358e

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe
Token: SeUndockPrivilege	2480	WMIC.exe
Token: SeManageVolumePrivilege	2480	WMIC.exe
Token: 33	2480	WMIC.exe
Token: 34	2480	WMIC.exe
Token: 35	2480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 2956 wrote to memory of 2352	2956	cmd.exe	31
PID 2956 wrote to memory of 2352	2956	cmd.exe	31
PID 2956 wrote to memory of 2352	2956	cmd.exe	31
PID 2956 wrote to memory of 2292	2956	cmd.exe	32
PID 2956 wrote to memory of 2292	2956	cmd.exe	32
PID 2956 wrote to memory of 2292	2956	cmd.exe	32
PID 2956 wrote to memory of 1504	2956	cmd.exe	33
PID 2956 wrote to memory of 1504	2956	cmd.exe	33
PID 2956 wrote to memory of 1504	2956	cmd.exe	33
PID 2956 wrote to memory of 2480	2956	cmd.exe	35
PID 2956 wrote to memory of 2480	2956	cmd.exe	35
PID 2956 wrote to memory of 2480	2956	cmd.exe	35
PID 2956 wrote to memory of 2168	2956	cmd.exe	36
PID 2956 wrote to memory of 2168	2956	cmd.exe	36
PID 2956 wrote to memory of 2168	2956	cmd.exe	36
PID 2956 wrote to memory of 768	2956	cmd.exe	37
PID 2956 wrote to memory of 768	2956	cmd.exe	37
PID 2956 wrote to memory of 768	2956	cmd.exe	37
PID 2956 wrote to memory of 1272	2956	cmd.exe	38
PID 2956 wrote to memory of 1272	2956	cmd.exe	38
PID 2956 wrote to memory of 1272	2956	cmd.exe	38
PID 2956 wrote to memory of 1128	2956	cmd.exe	39
PID 2956 wrote to memory of 1128	2956	cmd.exe	39
PID 2956 wrote to memory of 1128	2956	cmd.exe	39
PID 2956 wrote to memory of 2296	2956	cmd.exe	40
PID 2956 wrote to memory of 2296	2956	cmd.exe	40
PID 2956 wrote to memory of 2296	2956	cmd.exe	40
PID 2956 wrote to memory of 2736	2956	cmd.exe	41
PID 2956 wrote to memory of 2736	2956	cmd.exe	41
PID 2956 wrote to memory of 2736	2956	cmd.exe	41
PID 2956 wrote to memory of 2784	2956	cmd.exe	42
PID 2956 wrote to memory of 2784	2956	cmd.exe	42
PID 2956 wrote to memory of 2784	2956	cmd.exe	42
PID 2956 wrote to memory of 2780	2956	cmd.exe	43
PID 2956 wrote to memory of 2780	2956	cmd.exe	43
PID 2956 wrote to memory of 2780	2956	cmd.exe	43
PID 2956 wrote to memory of 2744	2956	cmd.exe	44
PID 2956 wrote to memory of 2744	2956	cmd.exe	44
PID 2956 wrote to memory of 2744	2956	cmd.exe	44
PID 2956 wrote to memory of 2588	2956	cmd.exe	45
PID 2956 wrote to memory of 2588	2956	cmd.exe	45
PID 2956 wrote to memory of 2588	2956	cmd.exe	45
PID 2956 wrote to memory of 2252	2956	cmd.exe	46
PID 2956 wrote to memory of 2252	2956	cmd.exe	46
PID 2956 wrote to memory of 2252	2956	cmd.exe	46
PID 2956 wrote to memory of 2616	2956	cmd.exe	47
PID 2956 wrote to memory of 2616	2956	cmd.exe	47
PID 2956 wrote to memory of 2616	2956	cmd.exe	47
PID 2956 wrote to memory of 2684	2956	cmd.exe	48
PID 2956 wrote to memory of 2684	2956	cmd.exe	48
PID 2956 wrote to memory of 2684	2956	cmd.exe	48
PID 2956 wrote to memory of 2760	2956	cmd.exe	49
PID 2956 wrote to memory of 2760	2956	cmd.exe	49
PID 2956 wrote to memory of 2760	2956	cmd.exe	49
PID 2956 wrote to memory of 2756	2956	cmd.exe	50
PID 2956 wrote to memory of 2756	2956	cmd.exe	50
PID 2956 wrote to memory of 2756	2956	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\serial_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\mode.com
  MODE 93, 62
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1504
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2168
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:768
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1272
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:1128
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2296
- C:\Windows\System32\Wbem\WMIC.exe
  wmic systemenclosure get serialnumber
  2⤵
  PID:2736
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2784
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:2780
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2744
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description, PNPDeviceID
  2⤵
  PID:2588
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2252
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:2616
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2684
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:2760
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2756

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads