6d8ce5ddf48cb6bacf8e84ec8ee2c77b264325d288c7fcd40e0ddf7f50c6f547

Analysis

max time kernel
367s
max time network
1608s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
01/01/2023, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Separate-Files-Version/Check-Activation-Status-vbs.cmd
Size

7KB
MD5

0e34f3c90cd0c1724737064d438d7357
SHA1

f50d0b6456bf5514b0ee136c81bd4a7527c43e7f
SHA256

a21c9481807ea222cebf8cab4047844181dd98c00ad3d6c232701599c10697cd
SHA512

84c6852ed52df581e70380d16fede2609d4c9f61c22612cbf575f71d529660cd137501265e79b8bab85f14207818ae608472374adabf4d75f9db964a428c6d7f
SSDEEP

192:B9/O0diZIZazZ9VZ5jZfuZcQZ0pZfSy9C/sC/QiO4TEoz6t9+r4:bO0d+IZad3Z5tficE0rfSyo/h/QiO4Ti

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	800	cscript.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
1364	reg.exe
2728	reg.exe
4440	reg.exe
4892	reg.exe
2240	reg.exe
4620	reg.exe
4596	reg.exe
4132	reg.exe
1804	reg.exe
1272	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2920	2616	cmd.exe	67
PID 2616 wrote to memory of 2920	2616	cmd.exe	67
PID 2616 wrote to memory of 4600	2616	cmd.exe	68
PID 2616 wrote to memory of 4600	2616	cmd.exe	68
PID 4600 wrote to memory of 5112	4600	net.exe	69
PID 4600 wrote to memory of 5112	4600	net.exe	69
PID 2616 wrote to memory of 4100	2616	cmd.exe	70
PID 2616 wrote to memory of 4100	2616	cmd.exe	70
PID 2616 wrote to memory of 3768	2616	cmd.exe	72
PID 2616 wrote to memory of 3768	2616	cmd.exe	72
PID 2616 wrote to memory of 3656	2616	cmd.exe	73
PID 2616 wrote to memory of 3656	2616	cmd.exe	73
PID 3656 wrote to memory of 2240	3656	cmd.exe	74
PID 3656 wrote to memory of 2240	3656	cmd.exe	74
PID 2616 wrote to memory of 2896	2616	cmd.exe	75
PID 2616 wrote to memory of 2896	2616	cmd.exe	75
PID 2896 wrote to memory of 4620	2896	cmd.exe	76
PID 2896 wrote to memory of 4620	2896	cmd.exe	76
PID 2616 wrote to memory of 3376	2616	cmd.exe	77
PID 2616 wrote to memory of 3376	2616	cmd.exe	77
PID 3376 wrote to memory of 4596	3376	cmd.exe	78
PID 3376 wrote to memory of 4596	3376	cmd.exe	78
PID 2616 wrote to memory of 3448	2616	cmd.exe	79
PID 2616 wrote to memory of 3448	2616	cmd.exe	79
PID 3448 wrote to memory of 4132	3448	cmd.exe	80
PID 3448 wrote to memory of 4132	3448	cmd.exe	80
PID 2616 wrote to memory of 4660	2616	cmd.exe	81
PID 2616 wrote to memory of 4660	2616	cmd.exe	81
PID 4660 wrote to memory of 1364	4660	cmd.exe	82
PID 4660 wrote to memory of 1364	4660	cmd.exe	82
PID 2616 wrote to memory of 4668	2616	cmd.exe	83
PID 2616 wrote to memory of 4668	2616	cmd.exe	83
PID 4668 wrote to memory of 2728	4668	cmd.exe	84
PID 4668 wrote to memory of 2728	4668	cmd.exe	84
PID 2616 wrote to memory of 4440	2616	cmd.exe	85
PID 2616 wrote to memory of 4440	2616	cmd.exe	85
PID 2616 wrote to memory of 3512	2616	cmd.exe	86
PID 2616 wrote to memory of 3512	2616	cmd.exe	86
PID 3512 wrote to memory of 4892	3512	cmd.exe	87
PID 3512 wrote to memory of 4892	3512	cmd.exe	87
PID 2616 wrote to memory of 800	2616	cmd.exe	88
PID 2616 wrote to memory of 800	2616	cmd.exe	88
PID 2616 wrote to memory of 2144	2616	cmd.exe	89
PID 2616 wrote to memory of 2144	2616	cmd.exe	89
PID 2144 wrote to memory of 1804	2144	cmd.exe	90
PID 2144 wrote to memory of 1804	2144	cmd.exe	90
PID 2616 wrote to memory of 1272	2616	cmd.exe	91
PID 2616 wrote to memory of 1272	2616	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Check-Activation-Status-vbs.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "Check-Activation-Status-vbs.cmd"
  2⤵
  PID:2920
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:5112
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /dli
  2⤵
  PID:4100
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /xpr
  2⤵
  PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2728
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4892
- C:\Windows\System32\cscript.exe
  cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
  2⤵
  - Blocklisted process makes network request
  PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1804
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit