Overview
overview
10Static
static
5temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...er.bat
windows7-x64
1temp/temp/...er.bat
windows10-2004-x64
1temp/temp/...ht.bat
windows7-x64
8temp/temp/...ht.bat
windows10-2004-x64
8temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...er.exe
windows7-x64
1temp/temp/...er.exe
windows10-2004-x64
1temp/temp/...gs.vbs
windows7-x64
3temp/temp/...gs.vbs
windows10-2004-x64
1temp/temp/...ol.exe
windows7-x64
10temp/temp/...ol.exe
windows10-2004-x64
5temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...64.dll
windows7-x64
1temp/temp/...64.dll
windows10-2004-x64
1temp/temp/...mp.exe
windows7-x64
10temp/temp/...mp.exe
windows10-2004-x64
10Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 16:56
Behavioral task
behavioral1
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
temp/temp/temp/temp/Serial Checker.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
temp/temp/temp/temp/cleaners/FortniteCleaner.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
temp/temp/temp/temp/cleaners/Midnight.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
temp/temp/temp/temp/cleaners/cleaner.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral12
Sample
temp/temp/temp/temp/d control need/Defender_Settings.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
temp/temp/temp/temp/d control need/dControl.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
temp/temp/temp/temp/libcrypto-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
temp/temp/temp/temp/libssl-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
temp/temp/temp/temp/vson I temp.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
temp/temp/temp/temp/Serial Checker.bat
-
Size
831B
-
MD5
119a816fb17e3c634deda5fa650bbb50
-
SHA1
ee6fbcfe647a2b943e991797b08e10e2dd9eef5f
-
SHA256
8e04607e18f90a99e360f4bffe37102b20006143859c87ae845694512b41094f
-
SHA512
78d69503835da46a427afb50fd3dcb7d0dc246b89751d42533afb8bf8a0a0e5f78f78d350507460b5b421af0ae4b822ee2a435ab1962bf411fa5d94a663d6e2d
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 100 WMIC.exe Token: SeSecurityPrivilege 100 WMIC.exe Token: SeTakeOwnershipPrivilege 100 WMIC.exe Token: SeLoadDriverPrivilege 100 WMIC.exe Token: SeSystemProfilePrivilege 100 WMIC.exe Token: SeSystemtimePrivilege 100 WMIC.exe Token: SeProfSingleProcessPrivilege 100 WMIC.exe Token: SeIncBasePriorityPrivilege 100 WMIC.exe Token: SeCreatePagefilePrivilege 100 WMIC.exe Token: SeBackupPrivilege 100 WMIC.exe Token: SeRestorePrivilege 100 WMIC.exe Token: SeShutdownPrivilege 100 WMIC.exe Token: SeDebugPrivilege 100 WMIC.exe Token: SeSystemEnvironmentPrivilege 100 WMIC.exe Token: SeRemoteShutdownPrivilege 100 WMIC.exe Token: SeUndockPrivilege 100 WMIC.exe Token: SeManageVolumePrivilege 100 WMIC.exe Token: 33 100 WMIC.exe Token: 34 100 WMIC.exe Token: 35 100 WMIC.exe Token: 36 100 WMIC.exe Token: SeIncreaseQuotaPrivilege 100 WMIC.exe Token: SeSecurityPrivilege 100 WMIC.exe Token: SeTakeOwnershipPrivilege 100 WMIC.exe Token: SeLoadDriverPrivilege 100 WMIC.exe Token: SeSystemProfilePrivilege 100 WMIC.exe Token: SeSystemtimePrivilege 100 WMIC.exe Token: SeProfSingleProcessPrivilege 100 WMIC.exe Token: SeIncBasePriorityPrivilege 100 WMIC.exe Token: SeCreatePagefilePrivilege 100 WMIC.exe Token: SeBackupPrivilege 100 WMIC.exe Token: SeRestorePrivilege 100 WMIC.exe Token: SeShutdownPrivilege 100 WMIC.exe Token: SeDebugPrivilege 100 WMIC.exe Token: SeSystemEnvironmentPrivilege 100 WMIC.exe Token: SeRemoteShutdownPrivilege 100 WMIC.exe Token: SeUndockPrivilege 100 WMIC.exe Token: SeManageVolumePrivilege 100 WMIC.exe Token: 33 100 WMIC.exe Token: 34 100 WMIC.exe Token: 35 100 WMIC.exe Token: 36 100 WMIC.exe Token: SeIncreaseQuotaPrivilege 5084 WMIC.exe Token: SeSecurityPrivilege 5084 WMIC.exe Token: SeTakeOwnershipPrivilege 5084 WMIC.exe Token: SeLoadDriverPrivilege 5084 WMIC.exe Token: SeSystemProfilePrivilege 5084 WMIC.exe Token: SeSystemtimePrivilege 5084 WMIC.exe Token: SeProfSingleProcessPrivilege 5084 WMIC.exe Token: SeIncBasePriorityPrivilege 5084 WMIC.exe Token: SeCreatePagefilePrivilege 5084 WMIC.exe Token: SeBackupPrivilege 5084 WMIC.exe Token: SeRestorePrivilege 5084 WMIC.exe Token: SeShutdownPrivilege 5084 WMIC.exe Token: SeDebugPrivilege 5084 WMIC.exe Token: SeSystemEnvironmentPrivilege 5084 WMIC.exe Token: SeRemoteShutdownPrivilege 5084 WMIC.exe Token: SeUndockPrivilege 5084 WMIC.exe Token: SeManageVolumePrivilege 5084 WMIC.exe Token: 33 5084 WMIC.exe Token: 34 5084 WMIC.exe Token: 35 5084 WMIC.exe Token: 36 5084 WMIC.exe Token: SeIncreaseQuotaPrivilege 5084 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3200 wrote to memory of 3100 3200 cmd.exe 84 PID 3200 wrote to memory of 3100 3200 cmd.exe 84 PID 3200 wrote to memory of 100 3200 cmd.exe 85 PID 3200 wrote to memory of 100 3200 cmd.exe 85 PID 3200 wrote to memory of 5084 3200 cmd.exe 87 PID 3200 wrote to memory of 5084 3200 cmd.exe 87 PID 3200 wrote to memory of 484 3200 cmd.exe 88 PID 3200 wrote to memory of 484 3200 cmd.exe 88 PID 3200 wrote to memory of 4220 3200 cmd.exe 89 PID 3200 wrote to memory of 4220 3200 cmd.exe 89 PID 3200 wrote to memory of 2556 3200 cmd.exe 90 PID 3200 wrote to memory of 2556 3200 cmd.exe 90 PID 3200 wrote to memory of 1552 3200 cmd.exe 91 PID 3200 wrote to memory of 1552 3200 cmd.exe 91 PID 3200 wrote to memory of 744 3200 cmd.exe 92 PID 3200 wrote to memory of 744 3200 cmd.exe 92 PID 3200 wrote to memory of 4728 3200 cmd.exe 93 PID 3200 wrote to memory of 4728 3200 cmd.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\temp\temp\temp\temp\Serial Checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\mode.commode con: cols=180 lines=622⤵PID:3100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:100
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:484
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID2⤵PID:4220
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:2556
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵PID:1552
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid2⤵PID:744
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:4728
-