18f7423d283aa1aa5c2c54b823f99f75fc8d4decaed513db91c1be02ab98fb3d

Resubmissions

01/02/2023, 22:52

230201-2th53sda35 8

Analysis

max time kernel
232s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
01/02/2023, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_VL_ALL_AIO.cmd
Size

300KB
MD5

c8642fd825543b510b0a5fa118cc5b80
SHA1

5f80cdf39a0ee22321a73544a4939faddedd575b
SHA256

18f7423d283aa1aa5c2c54b823f99f75fc8d4decaed513db91c1be02ab98fb3d
SHA512

7df23e2afa00ae4dd913dd2d8e84a603e30cdccfedd85cd108da674e13b1aefc3b082b3cac95f457a11125c4bb6a11d46a24f2bc933797952dd0c0a1e6e7a363
SSDEEP

6144:WiJNJzLuupIW1GnFS0xmfKD5pw9rIjEUqbj8HmAkNp/4:5JNJzVpIRxmyD5pmUjE/j8GAk7/4

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4624	sc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2172	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3252	powershell.exe
3252	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe
Token: SeManageVolumePrivilege	2392	WMIC.exe
Token: 33	2392	WMIC.exe
Token: 34	2392	WMIC.exe
Token: 35	2392	WMIC.exe
Token: 36	2392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe
Token: SeManageVolumePrivilege	2392	WMIC.exe
Token: 33	2392	WMIC.exe
Token: 34	2392	WMIC.exe
Token: 35	2392	WMIC.exe
Token: 36	2392	WMIC.exe
Token: SeDebugPrivilege	3252	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2172	2604	cmd.exe	83
PID 2604 wrote to memory of 2172	2604	cmd.exe	83
PID 2604 wrote to memory of 2204	2604	cmd.exe	82
PID 2604 wrote to memory of 2204	2604	cmd.exe	82
PID 2604 wrote to memory of 2392	2604	cmd.exe	84
PID 2604 wrote to memory of 2392	2604	cmd.exe	84
PID 2604 wrote to memory of 4472	2604	cmd.exe	85
PID 2604 wrote to memory of 4472	2604	cmd.exe	85
PID 2604 wrote to memory of 3252	2604	cmd.exe	86
PID 2604 wrote to memory of 3252	2604	cmd.exe	86
PID 2604 wrote to memory of 3468	2604	cmd.exe	87
PID 2604 wrote to memory of 3468	2604	cmd.exe	87
PID 2604 wrote to memory of 3676	2604	cmd.exe	88
PID 2604 wrote to memory of 3676	2604	cmd.exe	88
PID 2604 wrote to memory of 4908	2604	cmd.exe	89
PID 2604 wrote to memory of 4908	2604	cmd.exe	89
PID 4908 wrote to memory of 560	4908	cmd.exe	90
PID 4908 wrote to memory of 560	4908	cmd.exe	90
PID 2604 wrote to memory of 4144	2604	cmd.exe	91
PID 2604 wrote to memory of 4144	2604	cmd.exe	91
PID 2604 wrote to memory of 248	2604	cmd.exe	92
PID 2604 wrote to memory of 248	2604	cmd.exe	92
PID 2604 wrote to memory of 1564	2604	cmd.exe	93
PID 2604 wrote to memory of 1564	2604	cmd.exe	93
PID 2604 wrote to memory of 220	2604	cmd.exe	94
PID 2604 wrote to memory of 220	2604	cmd.exe	94
PID 2604 wrote to memory of 208	2604	cmd.exe	95
PID 2604 wrote to memory of 208	2604	cmd.exe	95
PID 2604 wrote to memory of 3928	2604	cmd.exe	96
PID 2604 wrote to memory of 3928	2604	cmd.exe	96
PID 2604 wrote to memory of 3008	2604	cmd.exe	97
PID 2604 wrote to memory of 3008	2604	cmd.exe	97
PID 2604 wrote to memory of 4680	2604	cmd.exe	98
PID 2604 wrote to memory of 4680	2604	cmd.exe	98
PID 2604 wrote to memory of 4624	2604	cmd.exe	99
PID 2604 wrote to memory of 4624	2604	cmd.exe	99
PID 2604 wrote to memory of 4008	2604	cmd.exe	100
PID 2604 wrote to memory of 4008	2604	cmd.exe	100
PID 2604 wrote to memory of 4148	2604	cmd.exe	101
PID 2604 wrote to memory of 4148	2604	cmd.exe	101
PID 2604 wrote to memory of 2068	2604	cmd.exe	102
PID 2604 wrote to memory of 2068	2604	cmd.exe	102
PID 2604 wrote to memory of 3892	2604	cmd.exe	103
PID 2604 wrote to memory of 3892	2604	cmd.exe	103

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\System32\find.exe
  find /i "0x4"
  2⤵
  PID:2204
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
  2⤵
  - Modifies registry key
  PID:2172
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $ExecutionContext.SessionState.LanguageMode
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\System32\find.exe
  find /i "Full"
  2⤵
  PID:3468
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4144
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:248
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:220
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:208
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3928
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:4680
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:4624
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:4008
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"
  2⤵
  PID:2068
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3252-138-0x0000014B68470000-0x0000014B684F2000-memory.dmp

Filesize
520KB

Download
memory/3252-142-0x00007FFF4DB70000-0x00007FFF4E631000-memory.dmp

Filesize
10.8MB

Download
memory/3252-141-0x0000014B69080000-0x0000014B69182000-memory.dmp

Filesize
1.0MB

Download
memory/3252-140-0x0000014B683E0000-0x0000014B683F0000-memory.dmp

Filesize
64KB

Download
memory/3252-139-0x0000014B68410000-0x0000014B68432000-memory.dmp

Filesize
136KB

Download