6d8ce5ddf48cb6bacf8e84ec8ee2c77b264325d288c7fcd40e0ddf7f50c6f547

Analysis

max time kernel
380s
max time network
1608s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
01-01-2023 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Separate-Files-Version/Check-Activation-Status-wmi.cmd
Size

18KB
MD5

9532db59d6b3fe352aad951fe1fea3b0
SHA1

751db10cb85b7da9f9f2d1a8fae9df1d02e0e8c4
SHA256

1149b91927a002002f404115b12b10179ac198bec0365610ce5a74166b256ea6
SHA512

dea458e7fd48ae5e1105fc2a9d358f0633778031baf6ba2532c08c82e1ee50101b69031ed0cdd09f6378e81188bd2073f466a1f5388b874800ef7ed59c8ec799
SSDEEP

384:AeeEnXRdwyo44hN8ivJ9EaRVVY7UTdPU0EGT0SGFS:Aee4yWaNY7wdVEGQSGM

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2100	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4040	WMIC.exe
Token: SeSecurityPrivilege	4040	WMIC.exe
Token: SeTakeOwnershipPrivilege	4040	WMIC.exe
Token: SeLoadDriverPrivilege	4040	WMIC.exe
Token: SeSystemProfilePrivilege	4040	WMIC.exe
Token: SeSystemtimePrivilege	4040	WMIC.exe
Token: SeProfSingleProcessPrivilege	4040	WMIC.exe
Token: SeIncBasePriorityPrivilege	4040	WMIC.exe
Token: SeCreatePagefilePrivilege	4040	WMIC.exe
Token: SeBackupPrivilege	4040	WMIC.exe
Token: SeRestorePrivilege	4040	WMIC.exe
Token: SeShutdownPrivilege	4040	WMIC.exe
Token: SeDebugPrivilege	4040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4040	WMIC.exe
Token: SeRemoteShutdownPrivilege	4040	WMIC.exe
Token: SeUndockPrivilege	4040	WMIC.exe
Token: SeManageVolumePrivilege	4040	WMIC.exe
Token: 33	4040	WMIC.exe
Token: 34	4040	WMIC.exe
Token: 35	4040	WMIC.exe
Token: 36	4040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4040	WMIC.exe
Token: SeSecurityPrivilege	4040	WMIC.exe
Token: SeTakeOwnershipPrivilege	4040	WMIC.exe
Token: SeLoadDriverPrivilege	4040	WMIC.exe
Token: SeSystemProfilePrivilege	4040	WMIC.exe
Token: SeSystemtimePrivilege	4040	WMIC.exe
Token: SeProfSingleProcessPrivilege	4040	WMIC.exe
Token: SeIncBasePriorityPrivilege	4040	WMIC.exe
Token: SeCreatePagefilePrivilege	4040	WMIC.exe
Token: SeBackupPrivilege	4040	WMIC.exe
Token: SeRestorePrivilege	4040	WMIC.exe
Token: SeShutdownPrivilege	4040	WMIC.exe
Token: SeDebugPrivilege	4040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4040	WMIC.exe
Token: SeRemoteShutdownPrivilege	4040	WMIC.exe
Token: SeUndockPrivilege	4040	WMIC.exe
Token: SeManageVolumePrivilege	4040	WMIC.exe
Token: 33	4040	WMIC.exe
Token: 34	4040	WMIC.exe
Token: 35	4040	WMIC.exe
Token: 36	4040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: 36	2004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2496	2968	cmd.exe	67
PID 2968 wrote to memory of 2496	2968	cmd.exe	67
PID 2968 wrote to memory of 2804	2968	cmd.exe	68
PID 2968 wrote to memory of 2804	2968	cmd.exe	68
PID 2968 wrote to memory of 4040	2968	cmd.exe	69
PID 2968 wrote to memory of 4040	2968	cmd.exe	69
PID 2968 wrote to memory of 4492	2968	cmd.exe	70
PID 2968 wrote to memory of 4492	2968	cmd.exe	70
PID 2968 wrote to memory of 2100	2968	cmd.exe	72
PID 2968 wrote to memory of 2100	2968	cmd.exe	72
PID 2968 wrote to memory of 4300	2968	cmd.exe	73
PID 2968 wrote to memory of 4300	2968	cmd.exe	73
PID 4300 wrote to memory of 904	4300	net.exe	74
PID 4300 wrote to memory of 904	4300	net.exe	74
PID 2968 wrote to memory of 2004	2968	cmd.exe	75
PID 2968 wrote to memory of 2004	2968	cmd.exe	75
PID 2968 wrote to memory of 4720	2968	cmd.exe	76
PID 2968 wrote to memory of 4720	2968	cmd.exe	76
PID 2968 wrote to memory of 3744	2968	cmd.exe	77
PID 2968 wrote to memory of 3744	2968	cmd.exe	77
PID 2968 wrote to memory of 3980	2968	cmd.exe	78
PID 2968 wrote to memory of 3980	2968	cmd.exe	78
PID 2968 wrote to memory of 1364	2968	cmd.exe	79
PID 2968 wrote to memory of 1364	2968	cmd.exe	79
PID 1364 wrote to memory of 2468	1364	cmd.exe	80
PID 1364 wrote to memory of 2468	1364	cmd.exe	80
PID 2968 wrote to memory of 3836	2968	cmd.exe	81
PID 2968 wrote to memory of 3836	2968	cmd.exe	81
PID 3836 wrote to memory of 3828	3836	cmd.exe	83
PID 3836 wrote to memory of 3828	3836	cmd.exe	83
PID 3836 wrote to memory of 1836	3836	cmd.exe	82
PID 3836 wrote to memory of 1836	3836	cmd.exe	82
PID 2968 wrote to memory of 1372	2968	cmd.exe	84
PID 2968 wrote to memory of 1372	2968	cmd.exe	84
PID 2968 wrote to memory of 1176	2968	cmd.exe	85
PID 2968 wrote to memory of 1176	2968	cmd.exe	85
PID 2968 wrote to memory of 3816	2968	cmd.exe	86
PID 2968 wrote to memory of 3816	2968	cmd.exe	86
PID 2968 wrote to memory of 976	2968	cmd.exe	87
PID 2968 wrote to memory of 976	2968	cmd.exe	87
PID 2968 wrote to memory of 4672	2968	cmd.exe	88
PID 2968 wrote to memory of 4672	2968	cmd.exe	88
PID 2968 wrote to memory of 4724	2968	cmd.exe	89
PID 2968 wrote to memory of 4724	2968	cmd.exe	89
PID 2968 wrote to memory of 4892	2968	cmd.exe	90
PID 2968 wrote to memory of 4892	2968	cmd.exe	90
PID 2968 wrote to memory of 5016	2968	cmd.exe	91
PID 2968 wrote to memory of 5016	2968	cmd.exe	91
PID 5016 wrote to memory of 1548	5016	cmd.exe	92
PID 5016 wrote to memory of 1548	5016	cmd.exe	92
PID 5016 wrote to memory of 3120	5016	cmd.exe	93
PID 5016 wrote to memory of 3120	5016	cmd.exe	93
PID 2968 wrote to memory of 3812	2968	cmd.exe	94
PID 2968 wrote to memory of 3812	2968	cmd.exe	94
PID 3812 wrote to memory of 4824	3812	cmd.exe	95
PID 3812 wrote to memory of 4824	3812	cmd.exe	95
PID 2968 wrote to memory of 1312	2968	cmd.exe	96
PID 2968 wrote to memory of 1312	2968	cmd.exe	96
PID 1312 wrote to memory of 1992	1312	cmd.exe	97
PID 1312 wrote to memory of 1992	1312	cmd.exe	97
PID 1312 wrote to memory of 4092	1312	cmd.exe	98
PID 1312 wrote to memory of 4092	1312	cmd.exe	98
PID 2968 wrote to memory of 4756	2968	cmd.exe	99
PID 2968 wrote to memory of 4756	2968	cmd.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Check-Activation-Status-wmi.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2496
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "Check-Activation-Status-wmi.cmd"
  2⤵
  PID:2804
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:4492
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:904
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /i ID
  2⤵
  PID:4720
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
  2⤵
  PID:3744
- C:\Windows\System32\findstr.exe
  findstr /i ID
  2⤵
  PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:1836
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
    3⤵
    PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
  2⤵
  PID:1372
- C:\Windows\System32\findstr.exe
  findstr /i VOLUME_KMSCLIENT
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
  2⤵
  PID:3816
- C:\Windows\System32\findstr.exe
  findstr /i TIMEBASED_
  2⤵
  PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
  2⤵
  PID:4672
- C:\Windows\System32\findstr.exe
  findstr /i VIRTUAL_MACHINE_ACTIVATION
  2⤵
  PID:4724
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 3221549142
  2⤵
  PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
    3⤵
    PID:1548
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
    3⤵
    PID:1992
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
  2⤵
  PID:4756
- C:\Windows\System32\findstr.exe
  findstr /i VOLUME_KMSCLIENT
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
  2⤵
  PID:4740
- C:\Windows\System32\findstr.exe
  findstr /i TIMEBASED_
  2⤵
  PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
  2⤵
  PID:3168
- C:\Windows\System32\findstr.exe
  findstr /i VIRTUAL_MACHINE_ACTIVATION
  2⤵
  PID:4592
- C:\Windows\System32\cmd.exe
  cmd /c exit /b 3221549142
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
  2⤵
  PID:5108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
    3⤵
    PID:3056
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:4696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-124-0x0000000000000000-mapping.dmp

Download
memory/976-137-0x0000000000000000-mapping.dmp

Download
memory/1176-135-0x0000000000000000-mapping.dmp

Download
memory/1312-146-0x0000000000000000-mapping.dmp

Download
memory/1364-129-0x0000000000000000-mapping.dmp

Download
memory/1372-134-0x0000000000000000-mapping.dmp

Download
memory/1548-142-0x0000000000000000-mapping.dmp

Download
memory/1836-133-0x0000000000000000-mapping.dmp

Download
memory/1992-147-0x0000000000000000-mapping.dmp

Download
memory/2004-125-0x0000000000000000-mapping.dmp

Download
memory/2100-122-0x0000000000000000-mapping.dmp

Download
memory/2468-130-0x0000000000000000-mapping.dmp

Download
memory/2496-118-0x0000000000000000-mapping.dmp

Download
memory/2804-119-0x0000000000000000-mapping.dmp

Download
memory/3056-157-0x0000000000000000-mapping.dmp

Download
memory/3120-143-0x0000000000000000-mapping.dmp

Download
memory/3168-153-0x0000000000000000-mapping.dmp

Download
memory/3176-152-0x0000000000000000-mapping.dmp

Download
memory/3744-127-0x0000000000000000-mapping.dmp

Download
memory/3812-144-0x0000000000000000-mapping.dmp

Download
memory/3816-136-0x0000000000000000-mapping.dmp

Download
memory/3828-132-0x0000000000000000-mapping.dmp

Download
memory/3836-131-0x0000000000000000-mapping.dmp

Download
memory/3980-128-0x0000000000000000-mapping.dmp

Download
memory/4040-120-0x0000000000000000-mapping.dmp

Download
memory/4092-148-0x0000000000000000-mapping.dmp

Download
memory/4160-155-0x0000000000000000-mapping.dmp

Download
memory/4300-123-0x0000000000000000-mapping.dmp

Download
memory/4492-121-0x0000000000000000-mapping.dmp

Download
memory/4592-154-0x0000000000000000-mapping.dmp

Download
memory/4672-138-0x0000000000000000-mapping.dmp

Download
memory/4696-158-0x0000000000000000-mapping.dmp

Download
memory/4720-126-0x0000000000000000-mapping.dmp

Download
memory/4724-139-0x0000000000000000-mapping.dmp

Download
memory/4740-151-0x0000000000000000-mapping.dmp

Download
memory/4756-149-0x0000000000000000-mapping.dmp

Download
memory/4776-150-0x0000000000000000-mapping.dmp

Download
memory/4824-145-0x0000000000000000-mapping.dmp

Download
memory/4892-140-0x0000000000000000-mapping.dmp

Download
memory/5016-141-0x0000000000000000-mapping.dmp

Download
memory/5108-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads