4ee66020bf8fd5606f1fa1835a6c2328aab1556035e44a2de60b87c8f8571375

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

serial_checker.bat
Size

1KB
MD5

efa2cd30989448f5690130b07ccce86a
SHA1

0c3203f67c67cf63d39894a0577f20d5dc1427e8
SHA256

86710039b7414ff861ca629c839e89eb5eaf74cff86129734c575e5716c1a552
SHA512

c2f7dfb10f311ba6684651ca4e8aee8408e5abf6c2f564ce2764c0bac8df07da0b742bedff992d2ff9f6b00a1d6b1423d09390653c0fd0d47303984183db358e

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: 36	1696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: 36	1696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3512	3540	cmd.exe	85
PID 3540 wrote to memory of 3512	3540	cmd.exe	85
PID 3540 wrote to memory of 1696	3540	cmd.exe	86
PID 3540 wrote to memory of 1696	3540	cmd.exe	86
PID 3540 wrote to memory of 1864	3540	cmd.exe	87
PID 3540 wrote to memory of 1864	3540	cmd.exe	87
PID 3540 wrote to memory of 4424	3540	cmd.exe	89
PID 3540 wrote to memory of 4424	3540	cmd.exe	89
PID 3540 wrote to memory of 1088	3540	cmd.exe	90
PID 3540 wrote to memory of 1088	3540	cmd.exe	90
PID 3540 wrote to memory of 1384	3540	cmd.exe	91
PID 3540 wrote to memory of 1384	3540	cmd.exe	91
PID 3540 wrote to memory of 1416	3540	cmd.exe	92
PID 3540 wrote to memory of 1416	3540	cmd.exe	92
PID 3540 wrote to memory of 2848	3540	cmd.exe	93
PID 3540 wrote to memory of 2848	3540	cmd.exe	93
PID 3540 wrote to memory of 2688	3540	cmd.exe	94
PID 3540 wrote to memory of 2688	3540	cmd.exe	94
PID 3540 wrote to memory of 2760	3540	cmd.exe	95
PID 3540 wrote to memory of 2760	3540	cmd.exe	95
PID 3540 wrote to memory of 1504	3540	cmd.exe	96
PID 3540 wrote to memory of 1504	3540	cmd.exe	96
PID 3540 wrote to memory of 3168	3540	cmd.exe	97
PID 3540 wrote to memory of 3168	3540	cmd.exe	97
PID 3540 wrote to memory of 2132	3540	cmd.exe	98
PID 3540 wrote to memory of 2132	3540	cmd.exe	98
PID 3540 wrote to memory of 4656	3540	cmd.exe	99
PID 3540 wrote to memory of 4656	3540	cmd.exe	99
PID 3540 wrote to memory of 2040	3540	cmd.exe	100
PID 3540 wrote to memory of 2040	3540	cmd.exe	100
PID 3540 wrote to memory of 4472	3540	cmd.exe	101
PID 3540 wrote to memory of 4472	3540	cmd.exe	101
PID 3540 wrote to memory of 4960	3540	cmd.exe	102
PID 3540 wrote to memory of 4960	3540	cmd.exe	102
PID 3540 wrote to memory of 3352	3540	cmd.exe	103
PID 3540 wrote to memory of 3352	3540	cmd.exe	103
PID 3540 wrote to memory of 60	3540	cmd.exe	104
PID 3540 wrote to memory of 60	3540	cmd.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\mode.com
  MODE 93, 62
  2⤵
  PID:3512
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1864
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1088
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:1384
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1416
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:2848
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2688
- C:\Windows\System32\Wbem\WMIC.exe
  wmic systemenclosure get serialnumber
  2⤵
  PID:2760
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:1504
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:3168
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2132
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description, PNPDeviceID
  2⤵
  PID:4656
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:2040
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
  2⤵
  PID:4472
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:4960
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:3352
- C:\Windows\system32\sort.exe
  sort
  2⤵
  PID:60

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads