Overview
overview
10Static
static
3perm/mac/R...64.dll
windows7-x64
1perm/mac/R...64.dll
windows10-2004-x64
1perm/mac/R...sh.exe
windows7-x64
1perm/mac/R...sh.exe
windows10-2004-x64
1perm/mac/rtkio64.sys
windows7-x64
1perm/mac/rtkio64.sys
windows10-2004-x64
1perm/mac/r...64.sys
windows10-2004-x64
1perm/mac/spoof.bat
windows7-x64
1perm/mac/spoof.bat
windows10-2004-x64
1perm/seria...64.exe
windows7-x64
1perm/seria...64.exe
windows10-2004-x64
1perm/seria...of.bat
windows7-x64
10perm/seria...of.bat
windows10-2004-x64
10perm/seria...er.bat
windows7-x64
1perm/seria...er.bat
windows10-2004-x64
1perm/seria...64.sys
windows7-x64
1perm/seria...64.sys
windows10-2004-x64
1perm/seria...64.sys
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 00:53
Static task
static1
Behavioral task
behavioral1
Sample
perm/mac/RTIoLib64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
perm/mac/RTIoLib64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
perm/mac/RealTek_flash.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
perm/mac/RealTek_flash.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
perm/mac/rtkio64.sys
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
perm/mac/rtkio64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
perm/mac/rtkiow10x64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
perm/mac/spoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
perm/mac/spoof.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
perm/serials/AMIDEWINx64.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral11
Sample
perm/serials/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
perm/serials/AmiSpoof.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
perm/serials/AmiSpoof.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
perm/serials/SerialsChecker.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
perm/serials/SerialsChecker.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
perm/serials/amifldrv64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
perm/serials/amifldrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
perm/serials/amigendrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
perm/serials/SerialsChecker.bat
-
Size
534B
-
MD5
24e3d5bcc9303227287318776960b7a2
-
SHA1
5c66afdccf6ac0f84a5ba218d4fbea8d5975b5c7
-
SHA256
28d007fe953bc08f5e41a5c1a25f9e0436bf3420ef788fcb7e8c9293badb9d42
-
SHA512
2998f2cd8349b94d538b0a69ebe04fd2288a2c0484e95ba90dcebf422eb012d0899cc0bf54ad9747e9d7d0d2909bb659a5fc6ecc4d602281be5384aaf3327033
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2760 WMIC.exe Token: SeSecurityPrivilege 2760 WMIC.exe Token: SeTakeOwnershipPrivilege 2760 WMIC.exe Token: SeLoadDriverPrivilege 2760 WMIC.exe Token: SeSystemProfilePrivilege 2760 WMIC.exe Token: SeSystemtimePrivilege 2760 WMIC.exe Token: SeProfSingleProcessPrivilege 2760 WMIC.exe Token: SeIncBasePriorityPrivilege 2760 WMIC.exe Token: SeCreatePagefilePrivilege 2760 WMIC.exe Token: SeBackupPrivilege 2760 WMIC.exe Token: SeRestorePrivilege 2760 WMIC.exe Token: SeShutdownPrivilege 2760 WMIC.exe Token: SeDebugPrivilege 2760 WMIC.exe Token: SeSystemEnvironmentPrivilege 2760 WMIC.exe Token: SeRemoteShutdownPrivilege 2760 WMIC.exe Token: SeUndockPrivilege 2760 WMIC.exe Token: SeManageVolumePrivilege 2760 WMIC.exe Token: 33 2760 WMIC.exe Token: 34 2760 WMIC.exe Token: 35 2760 WMIC.exe Token: SeIncreaseQuotaPrivilege 2760 WMIC.exe Token: SeSecurityPrivilege 2760 WMIC.exe Token: SeTakeOwnershipPrivilege 2760 WMIC.exe Token: SeLoadDriverPrivilege 2760 WMIC.exe Token: SeSystemProfilePrivilege 2760 WMIC.exe Token: SeSystemtimePrivilege 2760 WMIC.exe Token: SeProfSingleProcessPrivilege 2760 WMIC.exe Token: SeIncBasePriorityPrivilege 2760 WMIC.exe Token: SeCreatePagefilePrivilege 2760 WMIC.exe Token: SeBackupPrivilege 2760 WMIC.exe Token: SeRestorePrivilege 2760 WMIC.exe Token: SeShutdownPrivilege 2760 WMIC.exe Token: SeDebugPrivilege 2760 WMIC.exe Token: SeSystemEnvironmentPrivilege 2760 WMIC.exe Token: SeRemoteShutdownPrivilege 2760 WMIC.exe Token: SeUndockPrivilege 2760 WMIC.exe Token: SeManageVolumePrivilege 2760 WMIC.exe Token: 33 2760 WMIC.exe Token: 34 2760 WMIC.exe Token: 35 2760 WMIC.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 764 wrote to memory of 2760 764 cmd.exe 32 PID 764 wrote to memory of 2760 764 cmd.exe 32 PID 764 wrote to memory of 2760 764 cmd.exe 32 PID 764 wrote to memory of 2668 764 cmd.exe 34 PID 764 wrote to memory of 2668 764 cmd.exe 34 PID 764 wrote to memory of 2668 764 cmd.exe 34 PID 764 wrote to memory of 2580 764 cmd.exe 35 PID 764 wrote to memory of 2580 764 cmd.exe 35 PID 764 wrote to memory of 2580 764 cmd.exe 35 PID 764 wrote to memory of 2716 764 cmd.exe 36 PID 764 wrote to memory of 2716 764 cmd.exe 36 PID 764 wrote to memory of 2716 764 cmd.exe 36 PID 764 wrote to memory of 2608 764 cmd.exe 37 PID 764 wrote to memory of 2608 764 cmd.exe 37 PID 764 wrote to memory of 2608 764 cmd.exe 37 PID 764 wrote to memory of 2584 764 cmd.exe 38 PID 764 wrote to memory of 2584 764 cmd.exe 38 PID 764 wrote to memory of 2584 764 cmd.exe 38
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\perm\serials\SerialsChecker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2580
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2716
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get manufacturer2⤵PID:2608
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:2584
-