Analysis
-
max time kernel
61s -
max time network
65s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
01-12-2024 11:45
Behavioral task
behavioral1
Sample
tri.rar
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
Lunar spoofer.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
13 signatures
150 seconds
Behavioral task
behavioral3
Sample
main.pyc
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
read me.txt
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
serial_checker.bat
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
3 signatures
150 seconds
General
-
Target
serial_checker.bat
-
Size
1KB
-
MD5
efa2cd30989448f5690130b07ccce86a
-
SHA1
0c3203f67c67cf63d39894a0577f20d5dc1427e8
-
SHA256
86710039b7414ff861ca629c839e89eb5eaf74cff86129734c575e5716c1a552
-
SHA512
c2f7dfb10f311ba6684651ca4e8aee8408e5abf6c2f564ce2764c0bac8df07da0b742bedff992d2ff9f6b00a1d6b1423d09390653c0fd0d47303984183db358e
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid Process 568 WMIC.exe 568 WMIC.exe 568 WMIC.exe 568 WMIC.exe 3296 WMIC.exe 3296 WMIC.exe 3296 WMIC.exe 3296 WMIC.exe 4648 WMIC.exe 4648 WMIC.exe 4648 WMIC.exe 4648 WMIC.exe 2184 WMIC.exe 2184 WMIC.exe 2184 WMIC.exe 2184 WMIC.exe 2388 WMIC.exe 2388 WMIC.exe 2388 WMIC.exe 2388 WMIC.exe 4072 WMIC.exe 4072 WMIC.exe 4072 WMIC.exe 4072 WMIC.exe 3580 WMIC.exe 3580 WMIC.exe 3580 WMIC.exe 3580 WMIC.exe 4008 WMIC.exe 4008 WMIC.exe 4008 WMIC.exe 4008 WMIC.exe 1700 WMIC.exe 1700 WMIC.exe 1700 WMIC.exe 1700 WMIC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 568 WMIC.exe Token: SeSecurityPrivilege 568 WMIC.exe Token: SeTakeOwnershipPrivilege 568 WMIC.exe Token: SeLoadDriverPrivilege 568 WMIC.exe Token: SeSystemProfilePrivilege 568 WMIC.exe Token: SeSystemtimePrivilege 568 WMIC.exe Token: SeProfSingleProcessPrivilege 568 WMIC.exe Token: SeIncBasePriorityPrivilege 568 WMIC.exe Token: SeCreatePagefilePrivilege 568 WMIC.exe Token: SeBackupPrivilege 568 WMIC.exe Token: SeRestorePrivilege 568 WMIC.exe Token: SeShutdownPrivilege 568 WMIC.exe Token: SeDebugPrivilege 568 WMIC.exe Token: SeSystemEnvironmentPrivilege 568 WMIC.exe Token: SeRemoteShutdownPrivilege 568 WMIC.exe Token: SeUndockPrivilege 568 WMIC.exe Token: SeManageVolumePrivilege 568 WMIC.exe Token: 33 568 WMIC.exe Token: 34 568 WMIC.exe Token: 35 568 WMIC.exe Token: 36 568 WMIC.exe Token: SeIncreaseQuotaPrivilege 568 WMIC.exe Token: SeSecurityPrivilege 568 WMIC.exe Token: SeTakeOwnershipPrivilege 568 WMIC.exe Token: SeLoadDriverPrivilege 568 WMIC.exe Token: SeSystemProfilePrivilege 568 WMIC.exe Token: SeSystemtimePrivilege 568 WMIC.exe Token: SeProfSingleProcessPrivilege 568 WMIC.exe Token: SeIncBasePriorityPrivilege 568 WMIC.exe Token: SeCreatePagefilePrivilege 568 WMIC.exe Token: SeBackupPrivilege 568 WMIC.exe Token: SeRestorePrivilege 568 WMIC.exe Token: SeShutdownPrivilege 568 WMIC.exe Token: SeDebugPrivilege 568 WMIC.exe Token: SeSystemEnvironmentPrivilege 568 WMIC.exe Token: SeRemoteShutdownPrivilege 568 WMIC.exe Token: SeUndockPrivilege 568 WMIC.exe Token: SeManageVolumePrivilege 568 WMIC.exe Token: 33 568 WMIC.exe Token: 34 568 WMIC.exe Token: 35 568 WMIC.exe Token: 36 568 WMIC.exe Token: SeIncreaseQuotaPrivilege 3296 WMIC.exe Token: SeSecurityPrivilege 3296 WMIC.exe Token: SeTakeOwnershipPrivilege 3296 WMIC.exe Token: SeLoadDriverPrivilege 3296 WMIC.exe Token: SeSystemProfilePrivilege 3296 WMIC.exe Token: SeSystemtimePrivilege 3296 WMIC.exe Token: SeProfSingleProcessPrivilege 3296 WMIC.exe Token: SeIncBasePriorityPrivilege 3296 WMIC.exe Token: SeCreatePagefilePrivilege 3296 WMIC.exe Token: SeBackupPrivilege 3296 WMIC.exe Token: SeRestorePrivilege 3296 WMIC.exe Token: SeShutdownPrivilege 3296 WMIC.exe Token: SeDebugPrivilege 3296 WMIC.exe Token: SeSystemEnvironmentPrivilege 3296 WMIC.exe Token: SeRemoteShutdownPrivilege 3296 WMIC.exe Token: SeUndockPrivilege 3296 WMIC.exe Token: SeManageVolumePrivilege 3296 WMIC.exe Token: 33 3296 WMIC.exe Token: 34 3296 WMIC.exe Token: 35 3296 WMIC.exe Token: 36 3296 WMIC.exe Token: SeIncreaseQuotaPrivilege 3296 WMIC.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 1972 wrote to memory of 1404 1972 cmd.exe 81 PID 1972 wrote to memory of 1404 1972 cmd.exe 81 PID 1972 wrote to memory of 568 1972 cmd.exe 82 PID 1972 wrote to memory of 568 1972 cmd.exe 82 PID 1972 wrote to memory of 3348 1972 cmd.exe 83 PID 1972 wrote to memory of 3348 1972 cmd.exe 83 PID 1972 wrote to memory of 3296 1972 cmd.exe 85 PID 1972 wrote to memory of 3296 1972 cmd.exe 85 PID 1972 wrote to memory of 3464 1972 cmd.exe 86 PID 1972 wrote to memory of 3464 1972 cmd.exe 86 PID 1972 wrote to memory of 4648 1972 cmd.exe 87 PID 1972 wrote to memory of 4648 1972 cmd.exe 87 PID 1972 wrote to memory of 1160 1972 cmd.exe 88 PID 1972 wrote to memory of 1160 1972 cmd.exe 88 PID 1972 wrote to memory of 2184 1972 cmd.exe 89 PID 1972 wrote to memory of 2184 1972 cmd.exe 89 PID 1972 wrote to memory of 4372 1972 cmd.exe 90 PID 1972 wrote to memory of 4372 1972 cmd.exe 90 PID 1972 wrote to memory of 2388 1972 cmd.exe 91 PID 1972 wrote to memory of 2388 1972 cmd.exe 91 PID 1972 wrote to memory of 2972 1972 cmd.exe 92 PID 1972 wrote to memory of 2972 1972 cmd.exe 92 PID 1972 wrote to memory of 4072 1972 cmd.exe 93 PID 1972 wrote to memory of 4072 1972 cmd.exe 93 PID 1972 wrote to memory of 8 1972 cmd.exe 94 PID 1972 wrote to memory of 8 1972 cmd.exe 94 PID 1972 wrote to memory of 3580 1972 cmd.exe 95 PID 1972 wrote to memory of 3580 1972 cmd.exe 95 PID 1972 wrote to memory of 5036 1972 cmd.exe 96 PID 1972 wrote to memory of 5036 1972 cmd.exe 96 PID 1972 wrote to memory of 4008 1972 cmd.exe 97 PID 1972 wrote to memory of 4008 1972 cmd.exe 97 PID 1972 wrote to memory of 3888 1972 cmd.exe 98 PID 1972 wrote to memory of 3888 1972 cmd.exe 98 PID 1972 wrote to memory of 1700 1972 cmd.exe 99 PID 1972 wrote to memory of 1700 1972 cmd.exe 99 PID 1972 wrote to memory of 5080 1972 cmd.exe 100 PID 1972 wrote to memory of 5080 1972 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\serial_checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\mode.comMODE 93, 622⤵PID:1404
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\system32\sort.exesort2⤵PID:3348
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\system32\sort.exesort2⤵PID:3464
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4648
-
-
C:\Windows\system32\sort.exesort2⤵PID:1160
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Windows\system32\sort.exesort2⤵PID:4372
-
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
C:\Windows\system32\sort.exesort2⤵PID:2972
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\Windows\system32\sort.exesort2⤵PID:8
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description, PNPDeviceID2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580
-
-
C:\Windows\system32\sort.exesort2⤵PID:5036
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
-
C:\Windows\system32\sort.exesort2⤵PID:3888
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Windows\system32\sort.exesort2⤵PID:5080
-