Overview
overview
10Static
static
5PERM 11-12...ol.exe
windows10-ltsc 2021-x64
10PERM 11-12...gs.vbs
windows10-ltsc 2021-x64
7PERM 11-12...ll.bat
windows10-ltsc 2021-x64
7PERM 11-12...64.exe
windows10-ltsc 2021-x64
7PERM 11-12...86.exe
windows10-ltsc 2021-x64
7PERM 11-12...64.exe
windows10-ltsc 2021-x64
7PERM 11-12...86.exe
windows10-ltsc 2021-x64
PERM 11-12...64.exe
windows10-ltsc 2021-x64
7PERM 11-12...86.exe
windows10-ltsc 2021-x64
7PERM 11-12...64.exe
windows10-ltsc 2021-x64
7PERM 11-12...86.exe
windows10-ltsc 2021-x64
7PERM 11-12...64.exe
windows10-ltsc 2021-x64
7PERM 11-12...86.exe
windows10-ltsc 2021-x64
7PERM 11-12...64.exe
windows10-ltsc 2021-x64
4PERM 11-12...86.exe
windows10-ltsc 2021-x64
4PERM 11-12...er.exe
windows10-ltsc 2021-x64
10PERM 11-12...up.exe
windows10-ltsc 2021-x64
7PERM 11-12...er.bat
windows10-ltsc 2021-x64
3PERM 11-12...er.exe
windows10-ltsc 2021-x64
1Analysis
-
max time kernel
109s -
max time network
127s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
12-12-2024 17:50
Behavioral task
behavioral1
Sample
PERM 11-12-2024/Requirement's/Defender Control/Defender Control.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral2
Sample
PERM 11-12-2024/Requirement's/Defender Control/Defender_Settings.vbs
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral3
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/install_all.bat
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral4
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2005_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral5
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2005_x86.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral6
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2008_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral7
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2008_x86.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral8
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2010_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral9
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2010_x86.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral10
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2012_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral11
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2012_x86.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral12
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2013_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral13
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2013_x86.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral14
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2015_2017_2019_2022_x64.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral15
Sample
PERM 11-12-2024/Requirement's/Visual-C-Runtimes-All-in-One-Nov-2024/vcredist2015_2017_2019_2022_x86.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral16
Sample
PERM 11-12-2024/Requirement's/Windows Update Blocker/Windows Update Blocker.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral17
Sample
PERM 11-12-2024/Requirement's/dxwebsetup.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral18
Sample
PERM 11-12-2024/Serial Checker.bat
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral19
Sample
PERM 11-12-2024/Updater.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
General
-
Target
PERM 11-12-2024/Serial Checker.bat
-
Size
1KB
-
MD5
c6b62b1ffcd5a9cade299e6a9458fd09
-
SHA1
8fbca3f3dab7aa83c19a284ffd0e168313768963
-
SHA256
cd8eb671af25c123a24436878e375df9b12e2465500d8f3fe20bcd51c2969de4
-
SHA512
27b789862c56103753af9860299fb01d76579b0983d6d0617671401a2d50dc4d4ed224c26360a660680b3f1bf3252c3de41cc088c359b851102b0da53b8efae9
Malware Config
Signatures
-
pid Process 4020 powershell.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784995557457140" powershell.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 236 WMIC.exe 236 WMIC.exe 236 WMIC.exe 236 WMIC.exe 4252 WMIC.exe 4252 WMIC.exe 4252 WMIC.exe 4252 WMIC.exe 336 WMIC.exe 336 WMIC.exe 336 WMIC.exe 336 WMIC.exe 2132 WMIC.exe 2132 WMIC.exe 2132 WMIC.exe 2132 WMIC.exe 2536 WMIC.exe 2536 WMIC.exe 2536 WMIC.exe 2536 WMIC.exe 3660 WMIC.exe 3660 WMIC.exe 3660 WMIC.exe 3660 WMIC.exe 4092 WMIC.exe 4092 WMIC.exe 4092 WMIC.exe 4092 WMIC.exe 2704 WMIC.exe 2704 WMIC.exe 2704 WMIC.exe 2704 WMIC.exe 1016 WMIC.exe 1016 WMIC.exe 1016 WMIC.exe 1016 WMIC.exe 4940 WMIC.exe 4940 WMIC.exe 4940 WMIC.exe 4940 WMIC.exe 4020 powershell.exe 4020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 236 WMIC.exe Token: SeSecurityPrivilege 236 WMIC.exe Token: SeTakeOwnershipPrivilege 236 WMIC.exe Token: SeLoadDriverPrivilege 236 WMIC.exe Token: SeSystemProfilePrivilege 236 WMIC.exe Token: SeSystemtimePrivilege 236 WMIC.exe Token: SeProfSingleProcessPrivilege 236 WMIC.exe Token: SeIncBasePriorityPrivilege 236 WMIC.exe Token: SeCreatePagefilePrivilege 236 WMIC.exe Token: SeBackupPrivilege 236 WMIC.exe Token: SeRestorePrivilege 236 WMIC.exe Token: SeShutdownPrivilege 236 WMIC.exe Token: SeDebugPrivilege 236 WMIC.exe Token: SeSystemEnvironmentPrivilege 236 WMIC.exe Token: SeRemoteShutdownPrivilege 236 WMIC.exe Token: SeUndockPrivilege 236 WMIC.exe Token: SeManageVolumePrivilege 236 WMIC.exe Token: 33 236 WMIC.exe Token: 34 236 WMIC.exe Token: 35 236 WMIC.exe Token: 36 236 WMIC.exe Token: SeIncreaseQuotaPrivilege 236 WMIC.exe Token: SeSecurityPrivilege 236 WMIC.exe Token: SeTakeOwnershipPrivilege 236 WMIC.exe Token: SeLoadDriverPrivilege 236 WMIC.exe Token: SeSystemProfilePrivilege 236 WMIC.exe Token: SeSystemtimePrivilege 236 WMIC.exe Token: SeProfSingleProcessPrivilege 236 WMIC.exe Token: SeIncBasePriorityPrivilege 236 WMIC.exe Token: SeCreatePagefilePrivilege 236 WMIC.exe Token: SeBackupPrivilege 236 WMIC.exe Token: SeRestorePrivilege 236 WMIC.exe Token: SeShutdownPrivilege 236 WMIC.exe Token: SeDebugPrivilege 236 WMIC.exe Token: SeSystemEnvironmentPrivilege 236 WMIC.exe Token: SeRemoteShutdownPrivilege 236 WMIC.exe Token: SeUndockPrivilege 236 WMIC.exe Token: SeManageVolumePrivilege 236 WMIC.exe Token: 33 236 WMIC.exe Token: 34 236 WMIC.exe Token: 35 236 WMIC.exe Token: 36 236 WMIC.exe Token: SeIncreaseQuotaPrivilege 4252 WMIC.exe Token: SeSecurityPrivilege 4252 WMIC.exe Token: SeTakeOwnershipPrivilege 4252 WMIC.exe Token: SeLoadDriverPrivilege 4252 WMIC.exe Token: SeSystemProfilePrivilege 4252 WMIC.exe Token: SeSystemtimePrivilege 4252 WMIC.exe Token: SeProfSingleProcessPrivilege 4252 WMIC.exe Token: SeIncBasePriorityPrivilege 4252 WMIC.exe Token: SeCreatePagefilePrivilege 4252 WMIC.exe Token: SeBackupPrivilege 4252 WMIC.exe Token: SeRestorePrivilege 4252 WMIC.exe Token: SeShutdownPrivilege 4252 WMIC.exe Token: SeDebugPrivilege 4252 WMIC.exe Token: SeSystemEnvironmentPrivilege 4252 WMIC.exe Token: SeRemoteShutdownPrivilege 4252 WMIC.exe Token: SeUndockPrivilege 4252 WMIC.exe Token: SeManageVolumePrivilege 4252 WMIC.exe Token: 33 4252 WMIC.exe Token: 34 4252 WMIC.exe Token: 35 4252 WMIC.exe Token: 36 4252 WMIC.exe Token: SeIncreaseQuotaPrivilege 4252 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3680 wrote to memory of 4204 3680 cmd.exe 81 PID 3680 wrote to memory of 4204 3680 cmd.exe 81 PID 3680 wrote to memory of 236 3680 cmd.exe 82 PID 3680 wrote to memory of 236 3680 cmd.exe 82 PID 3680 wrote to memory of 4252 3680 cmd.exe 84 PID 3680 wrote to memory of 4252 3680 cmd.exe 84 PID 3680 wrote to memory of 336 3680 cmd.exe 85 PID 3680 wrote to memory of 336 3680 cmd.exe 85 PID 3680 wrote to memory of 2132 3680 cmd.exe 86 PID 3680 wrote to memory of 2132 3680 cmd.exe 86 PID 3680 wrote to memory of 2536 3680 cmd.exe 87 PID 3680 wrote to memory of 2536 3680 cmd.exe 87 PID 3680 wrote to memory of 3660 3680 cmd.exe 88 PID 3680 wrote to memory of 3660 3680 cmd.exe 88 PID 3680 wrote to memory of 4092 3680 cmd.exe 89 PID 3680 wrote to memory of 4092 3680 cmd.exe 89 PID 3680 wrote to memory of 2704 3680 cmd.exe 90 PID 3680 wrote to memory of 2704 3680 cmd.exe 90 PID 3680 wrote to memory of 1016 3680 cmd.exe 91 PID 3680 wrote to memory of 1016 3680 cmd.exe 91 PID 3680 wrote to memory of 4940 3680 cmd.exe 92 PID 3680 wrote to memory of 4940 3680 cmd.exe 92 PID 3680 wrote to memory of 4020 3680 cmd.exe 93 PID 3680 wrote to memory of 4020 3680 cmd.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PERM 11-12-2024\Serial Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:4204
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get product,Manufacturer,serialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get manufacturer,serialnumber,version,smbiosbiosversion,releasedate2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name,identifyingnumber,uuid2⤵
- Suspicious behavior: EnumeratesProcesses
PID:336
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get partnumber, serialnumber, sku2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Windows\System32\Wbem\WMIC.exewmic nic get macaddress, description2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption, processorid, socketdesignation, Name, Caption2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3660
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk where drivetype=3 get name,volumeserialnumber2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get Model, SerialNumber, name2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Windows\System32\Wbem\WMIC.exewmic OS GET Caption,SerialNumber,CSName2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get PrimaryOwnerName2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Write-Host 'SHA256: ' -NoNewline; Write-Host (Get-TpmEndorsementKeyInfo -Hash Sha256).PublicKeyHash"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82