Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 15:13
Behavioral task
behavioral1
Sample
Veax Free/serial.bat
Resource
win10v2004-20240611-en
2 signatures
150 seconds
General
-
Target
Veax Free/serial.bat
-
Size
496B
-
MD5
7a5d295e468a75dd7272c7642b1a269f
-
SHA1
efaf4e7994cb38ea78aceed95b00cac1918984d0
-
SHA256
230e6a26c9feabb1d82f27845290942db22fbe2877faf05c093bc139edeeb7f0
-
SHA512
f23b628243601e1c3a9014dd3c735188be6b669be1772d39acbdb9f63486ceb2b374989f7e39bf8d04391d6f977d0e064ac79b263a0ff4e76a775e323f052b64
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3528 WMIC.exe Token: SeSecurityPrivilege 3528 WMIC.exe Token: SeTakeOwnershipPrivilege 3528 WMIC.exe Token: SeLoadDriverPrivilege 3528 WMIC.exe Token: SeSystemProfilePrivilege 3528 WMIC.exe Token: SeSystemtimePrivilege 3528 WMIC.exe Token: SeProfSingleProcessPrivilege 3528 WMIC.exe Token: SeIncBasePriorityPrivilege 3528 WMIC.exe Token: SeCreatePagefilePrivilege 3528 WMIC.exe Token: SeBackupPrivilege 3528 WMIC.exe Token: SeRestorePrivilege 3528 WMIC.exe Token: SeShutdownPrivilege 3528 WMIC.exe Token: SeDebugPrivilege 3528 WMIC.exe Token: SeSystemEnvironmentPrivilege 3528 WMIC.exe Token: SeRemoteShutdownPrivilege 3528 WMIC.exe Token: SeUndockPrivilege 3528 WMIC.exe Token: SeManageVolumePrivilege 3528 WMIC.exe Token: 33 3528 WMIC.exe Token: 34 3528 WMIC.exe Token: 35 3528 WMIC.exe Token: 36 3528 WMIC.exe Token: SeIncreaseQuotaPrivilege 3528 WMIC.exe Token: SeSecurityPrivilege 3528 WMIC.exe Token: SeTakeOwnershipPrivilege 3528 WMIC.exe Token: SeLoadDriverPrivilege 3528 WMIC.exe Token: SeSystemProfilePrivilege 3528 WMIC.exe Token: SeSystemtimePrivilege 3528 WMIC.exe Token: SeProfSingleProcessPrivilege 3528 WMIC.exe Token: SeIncBasePriorityPrivilege 3528 WMIC.exe Token: SeCreatePagefilePrivilege 3528 WMIC.exe Token: SeBackupPrivilege 3528 WMIC.exe Token: SeRestorePrivilege 3528 WMIC.exe Token: SeShutdownPrivilege 3528 WMIC.exe Token: SeDebugPrivilege 3528 WMIC.exe Token: SeSystemEnvironmentPrivilege 3528 WMIC.exe Token: SeRemoteShutdownPrivilege 3528 WMIC.exe Token: SeUndockPrivilege 3528 WMIC.exe Token: SeManageVolumePrivilege 3528 WMIC.exe Token: 33 3528 WMIC.exe Token: 34 3528 WMIC.exe Token: 35 3528 WMIC.exe Token: 36 3528 WMIC.exe Token: SeIncreaseQuotaPrivilege 888 WMIC.exe Token: SeSecurityPrivilege 888 WMIC.exe Token: SeTakeOwnershipPrivilege 888 WMIC.exe Token: SeLoadDriverPrivilege 888 WMIC.exe Token: SeSystemProfilePrivilege 888 WMIC.exe Token: SeSystemtimePrivilege 888 WMIC.exe Token: SeProfSingleProcessPrivilege 888 WMIC.exe Token: SeIncBasePriorityPrivilege 888 WMIC.exe Token: SeCreatePagefilePrivilege 888 WMIC.exe Token: SeBackupPrivilege 888 WMIC.exe Token: SeRestorePrivilege 888 WMIC.exe Token: SeShutdownPrivilege 888 WMIC.exe Token: SeDebugPrivilege 888 WMIC.exe Token: SeSystemEnvironmentPrivilege 888 WMIC.exe Token: SeRemoteShutdownPrivilege 888 WMIC.exe Token: SeUndockPrivilege 888 WMIC.exe Token: SeManageVolumePrivilege 888 WMIC.exe Token: 33 888 WMIC.exe Token: 34 888 WMIC.exe Token: 35 888 WMIC.exe Token: 36 888 WMIC.exe Token: SeIncreaseQuotaPrivilege 888 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
cmd.exedescription pid process target process PID 3476 wrote to memory of 3528 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3528 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 888 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 888 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 672 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 672 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 2572 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 2572 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 1856 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 1856 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 4056 3476 cmd.exe getmac.exe PID 3476 wrote to memory of 4056 3476 cmd.exe getmac.exe PID 3476 wrote to memory of 2852 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 2852 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 860 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 860 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3300 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3300 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3224 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 3224 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 5112 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 5112 3476 cmd.exe WMIC.exe PID 3476 wrote to memory of 536 3476 cmd.exe getmac.exe PID 3476 wrote to memory of 536 3476 cmd.exe getmac.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Veax Free\serial.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵
-
C:\Windows\system32\getmac.exegetmac2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model, serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵
-
C:\Windows\system32\getmac.exegetmac2⤵