Overview
overview
10Static
static
5temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...ht.bat
windows7-x64
8temp/temp/...ht.bat
windows10-2004-x64
8temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...gs.vbs
windows7-x64
1temp/temp/...gs.vbs
windows10-2004-x64
1temp/temp/...ol.exe
windows7-x64
10temp/temp/...ol.exe
windows10-2004-x64
5temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...mp.exe
windows7-x64
10temp/temp/...mp.exe
windows10-2004-x64
10Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 15:14
Behavioral task
behavioral1
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral10
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
temp/temp/temp/temp/Serial Checker.bat
-
Size
831B
-
MD5
119a816fb17e3c634deda5fa650bbb50
-
SHA1
ee6fbcfe647a2b943e991797b08e10e2dd9eef5f
-
SHA256
8e04607e18f90a99e360f4bffe37102b20006143859c87ae845694512b41094f
-
SHA512
78d69503835da46a427afb50fd3dcb7d0dc246b89751d42533afb8bf8a0a0e5f78f78d350507460b5b421af0ae4b822ee2a435ab1962bf411fa5d94a663d6e2d
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3100 WMIC.exe Token: SeSecurityPrivilege 3100 WMIC.exe Token: SeTakeOwnershipPrivilege 3100 WMIC.exe Token: SeLoadDriverPrivilege 3100 WMIC.exe Token: SeSystemProfilePrivilege 3100 WMIC.exe Token: SeSystemtimePrivilege 3100 WMIC.exe Token: SeProfSingleProcessPrivilege 3100 WMIC.exe Token: SeIncBasePriorityPrivilege 3100 WMIC.exe Token: SeCreatePagefilePrivilege 3100 WMIC.exe Token: SeBackupPrivilege 3100 WMIC.exe Token: SeRestorePrivilege 3100 WMIC.exe Token: SeShutdownPrivilege 3100 WMIC.exe Token: SeDebugPrivilege 3100 WMIC.exe Token: SeSystemEnvironmentPrivilege 3100 WMIC.exe Token: SeRemoteShutdownPrivilege 3100 WMIC.exe Token: SeUndockPrivilege 3100 WMIC.exe Token: SeManageVolumePrivilege 3100 WMIC.exe Token: 33 3100 WMIC.exe Token: 34 3100 WMIC.exe Token: 35 3100 WMIC.exe Token: 36 3100 WMIC.exe Token: SeIncreaseQuotaPrivilege 3100 WMIC.exe Token: SeSecurityPrivilege 3100 WMIC.exe Token: SeTakeOwnershipPrivilege 3100 WMIC.exe Token: SeLoadDriverPrivilege 3100 WMIC.exe Token: SeSystemProfilePrivilege 3100 WMIC.exe Token: SeSystemtimePrivilege 3100 WMIC.exe Token: SeProfSingleProcessPrivilege 3100 WMIC.exe Token: SeIncBasePriorityPrivilege 3100 WMIC.exe Token: SeCreatePagefilePrivilege 3100 WMIC.exe Token: SeBackupPrivilege 3100 WMIC.exe Token: SeRestorePrivilege 3100 WMIC.exe Token: SeShutdownPrivilege 3100 WMIC.exe Token: SeDebugPrivilege 3100 WMIC.exe Token: SeSystemEnvironmentPrivilege 3100 WMIC.exe Token: SeRemoteShutdownPrivilege 3100 WMIC.exe Token: SeUndockPrivilege 3100 WMIC.exe Token: SeManageVolumePrivilege 3100 WMIC.exe Token: 33 3100 WMIC.exe Token: 34 3100 WMIC.exe Token: 35 3100 WMIC.exe Token: 36 3100 WMIC.exe Token: SeIncreaseQuotaPrivilege 4448 WMIC.exe Token: SeSecurityPrivilege 4448 WMIC.exe Token: SeTakeOwnershipPrivilege 4448 WMIC.exe Token: SeLoadDriverPrivilege 4448 WMIC.exe Token: SeSystemProfilePrivilege 4448 WMIC.exe Token: SeSystemtimePrivilege 4448 WMIC.exe Token: SeProfSingleProcessPrivilege 4448 WMIC.exe Token: SeIncBasePriorityPrivilege 4448 WMIC.exe Token: SeCreatePagefilePrivilege 4448 WMIC.exe Token: SeBackupPrivilege 4448 WMIC.exe Token: SeRestorePrivilege 4448 WMIC.exe Token: SeShutdownPrivilege 4448 WMIC.exe Token: SeDebugPrivilege 4448 WMIC.exe Token: SeSystemEnvironmentPrivilege 4448 WMIC.exe Token: SeRemoteShutdownPrivilege 4448 WMIC.exe Token: SeUndockPrivilege 4448 WMIC.exe Token: SeManageVolumePrivilege 4448 WMIC.exe Token: 33 4448 WMIC.exe Token: 34 4448 WMIC.exe Token: 35 4448 WMIC.exe Token: 36 4448 WMIC.exe Token: SeIncreaseQuotaPrivilege 4448 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4384 2872 cmd.exe 84 PID 2872 wrote to memory of 4384 2872 cmd.exe 84 PID 2872 wrote to memory of 3100 2872 cmd.exe 85 PID 2872 wrote to memory of 3100 2872 cmd.exe 85 PID 2872 wrote to memory of 4448 2872 cmd.exe 87 PID 2872 wrote to memory of 4448 2872 cmd.exe 87 PID 2872 wrote to memory of 2436 2872 cmd.exe 88 PID 2872 wrote to memory of 2436 2872 cmd.exe 88 PID 2872 wrote to memory of 1384 2872 cmd.exe 89 PID 2872 wrote to memory of 1384 2872 cmd.exe 89 PID 2872 wrote to memory of 3508 2872 cmd.exe 90 PID 2872 wrote to memory of 3508 2872 cmd.exe 90 PID 2872 wrote to memory of 1992 2872 cmd.exe 91 PID 2872 wrote to memory of 1992 2872 cmd.exe 91 PID 2872 wrote to memory of 5008 2872 cmd.exe 92 PID 2872 wrote to memory of 5008 2872 cmd.exe 92 PID 2872 wrote to memory of 4984 2872 cmd.exe 93 PID 2872 wrote to memory of 4984 2872 cmd.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\Serial Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\mode.commode con: cols=180 lines=622⤵PID:4384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:2436
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID2⤵PID:1384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:3508
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵PID:1992
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid2⤵PID:5008
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:4984
-