06bfa4838b894c2cfc4e15304480931f9e5813a4dfa26b66db0284cabc0d21d4

Analysis

max time kernel
66s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows 10 Digital License Activation Script.cmd
Size

25KB
MD5

b84b661e01657e59ba6e35606506a193
SHA1

8ceac0205d4756e1b1b3c78891c4bb41d60bd517
SHA256

06bfa4838b894c2cfc4e15304480931f9e5813a4dfa26b66db0284cabc0d21d4
SHA512

837a2a1826ed36bfddd1af7fb5a650045ce938634d00138c6c81b52c259f9ee1789d0a880338d064124cd2ec42795094b4e6254fc06ed195caac2b34d4e0d268
SSDEEP

384:qeniCKIZpaML7jbSKNF3sYD4TY07GCBpPUhmJoWli/qXAV9:qmiC7vaMyGh07GcPU0j/Y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2888	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3884	WMIC.exe
Token: SeSecurityPrivilege	3884	WMIC.exe
Token: SeTakeOwnershipPrivilege	3884	WMIC.exe
Token: SeLoadDriverPrivilege	3884	WMIC.exe
Token: SeSystemProfilePrivilege	3884	WMIC.exe
Token: SeSystemtimePrivilege	3884	WMIC.exe
Token: SeProfSingleProcessPrivilege	3884	WMIC.exe
Token: SeIncBasePriorityPrivilege	3884	WMIC.exe
Token: SeCreatePagefilePrivilege	3884	WMIC.exe
Token: SeBackupPrivilege	3884	WMIC.exe
Token: SeRestorePrivilege	3884	WMIC.exe
Token: SeShutdownPrivilege	3884	WMIC.exe
Token: SeDebugPrivilege	3884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3884	WMIC.exe
Token: SeRemoteShutdownPrivilege	3884	WMIC.exe
Token: SeUndockPrivilege	3884	WMIC.exe
Token: SeManageVolumePrivilege	3884	WMIC.exe
Token: 33	3884	WMIC.exe
Token: 34	3884	WMIC.exe
Token: 35	3884	WMIC.exe
Token: 36	3884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3884	WMIC.exe
Token: SeSecurityPrivilege	3884	WMIC.exe
Token: SeTakeOwnershipPrivilege	3884	WMIC.exe
Token: SeLoadDriverPrivilege	3884	WMIC.exe
Token: SeSystemProfilePrivilege	3884	WMIC.exe
Token: SeSystemtimePrivilege	3884	WMIC.exe
Token: SeProfSingleProcessPrivilege	3884	WMIC.exe
Token: SeIncBasePriorityPrivilege	3884	WMIC.exe
Token: SeCreatePagefilePrivilege	3884	WMIC.exe
Token: SeBackupPrivilege	3884	WMIC.exe
Token: SeRestorePrivilege	3884	WMIC.exe
Token: SeShutdownPrivilege	3884	WMIC.exe
Token: SeDebugPrivilege	3884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3884	WMIC.exe
Token: SeRemoteShutdownPrivilege	3884	WMIC.exe
Token: SeUndockPrivilege	3884	WMIC.exe
Token: SeManageVolumePrivilege	3884	WMIC.exe
Token: 33	3884	WMIC.exe
Token: 34	3884	WMIC.exe
Token: 35	3884	WMIC.exe
Token: 36	3884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe
Token: 35	1920	WMIC.exe
Token: 36	1920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2772	1288	cmd.exe	87
PID 1288 wrote to memory of 2772	1288	cmd.exe	87
PID 1288 wrote to memory of 4940	1288	cmd.exe	88
PID 1288 wrote to memory of 4940	1288	cmd.exe	88
PID 1288 wrote to memory of 2632	1288	cmd.exe	89
PID 1288 wrote to memory of 2632	1288	cmd.exe	89
PID 1288 wrote to memory of 4928	1288	cmd.exe	90
PID 1288 wrote to memory of 4928	1288	cmd.exe	90
PID 4928 wrote to memory of 3884	4928	cmd.exe	91
PID 4928 wrote to memory of 3884	4928	cmd.exe	91
PID 1288 wrote to memory of 4880	1288	cmd.exe	92
PID 1288 wrote to memory of 4880	1288	cmd.exe	92
PID 1288 wrote to memory of 4500	1288	cmd.exe	99
PID 1288 wrote to memory of 4500	1288	cmd.exe	99
PID 1288 wrote to memory of 5048	1288	cmd.exe	100
PID 1288 wrote to memory of 5048	1288	cmd.exe	100
PID 1288 wrote to memory of 2512	1288	cmd.exe	101
PID 1288 wrote to memory of 2512	1288	cmd.exe	101
PID 1288 wrote to memory of 2956	1288	cmd.exe	102
PID 1288 wrote to memory of 2956	1288	cmd.exe	102
PID 1288 wrote to memory of 2504	1288	cmd.exe	103
PID 1288 wrote to memory of 2504	1288	cmd.exe	103
PID 2504 wrote to memory of 1920	2504	cmd.exe	104
PID 2504 wrote to memory of 1920	2504	cmd.exe	104
PID 1288 wrote to memory of 3796	1288	cmd.exe	105
PID 1288 wrote to memory of 3796	1288	cmd.exe	105
PID 1288 wrote to memory of 1812	1288	cmd.exe	106
PID 1288 wrote to memory of 1812	1288	cmd.exe	106
PID 1288 wrote to memory of 3972	1288	cmd.exe	107
PID 1288 wrote to memory of 3972	1288	cmd.exe	107
PID 1288 wrote to memory of 4644	1288	cmd.exe	108
PID 1288 wrote to memory of 4644	1288	cmd.exe	108
PID 1288 wrote to memory of 5084	1288	cmd.exe	110
PID 1288 wrote to memory of 5084	1288	cmd.exe	110
PID 1288 wrote to memory of 4116	1288	cmd.exe	112
PID 1288 wrote to memory of 4116	1288	cmd.exe	112
PID 1288 wrote to memory of 4756	1288	cmd.exe	113
PID 1288 wrote to memory of 4756	1288	cmd.exe	113
PID 1288 wrote to memory of 4124	1288	cmd.exe	114
PID 1288 wrote to memory of 4124	1288	cmd.exe	114
PID 1288 wrote to memory of 2888	1288	cmd.exe	116
PID 1288 wrote to memory of 2888	1288	cmd.exe	116
PID 1288 wrote to memory of 5000	1288	cmd.exe	117
PID 1288 wrote to memory of 5000	1288	cmd.exe	117
PID 1288 wrote to memory of 648	1288	cmd.exe	120
PID 1288 wrote to memory of 648	1288	cmd.exe	120
PID 1288 wrote to memory of 4872	1288	cmd.exe	123
PID 1288 wrote to memory of 4872	1288	cmd.exe	123
PID 1288 wrote to memory of 3836	1288	cmd.exe	124
PID 1288 wrote to memory of 3836	1288	cmd.exe	124
PID 1288 wrote to memory of 560	1288	cmd.exe	125
PID 1288 wrote to memory of 560	1288	cmd.exe	125
PID 560 wrote to memory of 2316	560	cmd.exe	126
PID 560 wrote to memory of 2316	560	cmd.exe	126
PID 1288 wrote to memory of 4392	1288	cmd.exe	127
PID 1288 wrote to memory of 4392	1288	cmd.exe	127
PID 1288 wrote to memory of 4896	1288	cmd.exe	130
PID 1288 wrote to memory of 4896	1288	cmd.exe	130
PID 1288 wrote to memory of 1456	1288	cmd.exe	131
PID 1288 wrote to memory of 1456	1288	cmd.exe	131
PID 1288 wrote to memory of 1132	1288	cmd.exe	132
PID 1288 wrote to memory of 1132	1288	cmd.exe	132
PID 1288 wrote to memory of 3728	1288	cmd.exe	133
PID 1288 wrote to memory of 3728	1288	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows 10 Digital License Activation Script.cmd"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:2772
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:4940
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4880
- C:\Windows\system32\mode.com
  mode con cols=98 lines=130
  2⤵
  PID:4500
- C:\Windows\system32\cmd.exe
  cmd /u /c type "C:\Users\Admin\AppData\Local\Temp\create_file.txt"
  2⤵
  PID:5048
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\create_file.vbs"
  2⤵
  PID:2512
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:3796
- C:\Windows\system32\choice.exe
  choice /C:GC /N /M "[C] Continue To Activation [G] Go Back : "
  2⤵
  PID:1812
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name
  2⤵
  PID:3972
- C:\Windows\system32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:4644
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  PID:5084
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens" /v "Channel" /t REG_SZ /d "Retail" /f
  2⤵
  PID:4116
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Kernel-ProductInfo" /t REG_DWORD /d 48 /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1 /f
  2⤵
  PID:4124
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2888
- C:\Windows\system32\ClipUp.exe
  clipup -v -o -altto bin\
  2⤵
  PID:5000
- - C:\Windows\system32\clipup.exe
    clipup -v -o -altto bin\ -ppl C:\Users\Admin\AppData\Local\Temp\temFD7F.tmp
    3⤵
    PID:4868
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ato
  2⤵
  PID:648
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\Tokens" /f
  2⤵
  PID:4872
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:2316
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4392
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /dli
  2⤵
  PID:4896
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /xpr
  2⤵
  PID:1456
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  PID:3728
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:4552
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ReadMe.txt

Filesize
7KB

MD5
18021ec4b73fca95c23d9eb1adbe84fb

SHA1
17b17d17fcfa92a1066c5eef512aabc708fd5eec

SHA256
3a917be58edf7743bd0e4abb8872ae046b9bd1d5f92a640a7bfe84c4f1411082

SHA512
741b54d49970423c1e90418dbbc8e7a018c59722dca7b38617321cd4c21e79a0e4ad1ad17712e65be9bb2d0257da22e18ae236a67c5eea6825f056ee1554e0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\create_file.txt

Filesize
528B

MD5
ca2f1ee9c2f112c119c9071095aba396

SHA1
d1a9bc57fcfaa39ad4c0286742a377f079378ec3

SHA256
5ff995a7bbcf92512407ea6814f77e7df6ad0788a804ebb999bc2ad9d3045aa0

SHA512
810c46f2a4ef5b818b024a6de10fa3295599ca390b516045bc11edc7b597eabf4e1e1baa4abe32aaaeac7b90a3361d3b9cbebc6cdc4743765f98d4f043330f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\create_file.vbs

Filesize
1KB

MD5
85f040dd48c6138710cd73f70a16360a

SHA1
88ceb9a232fbf65064dbd5135365c76c4c43e8e5

SHA256
dcaa55d665c28a275927d299c43f54a5b345c17442520a940e6d3eea2db121ae

SHA512
1503e024b5c417d5b02c2033da4b7745810a4388a74c56934950dd83bd6a62f19a698d26be1cbb60628361e69d50a967f83931c6dcdba4b2b72fec71dbaf26bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temFD7F.tmp

Filesize
230B

MD5
62bb58da510ecb05194b2199ef7889ef

SHA1
8f0e4f6d9776cbde466a6f4b51f6b43a22b5af1f

SHA256
33d3fe617709057bdf5feec1df85a1f6ea33f2e2443c0f10a7819a78bb3abf31

SHA512
9a07668211c476e10636ee7f6f2cab9435e73a3c07b2e5ba54ab9fec28ae71c47c16a798a9e0733c6eb08d7e620806b2ef624fa984675a9aaa4bfbe574cae65d

Download Submit
memory/4868-147-0x000002F1F5820000-0x000002F1F5830000-memory.dmp

Filesize
64KB

Download
memory/4868-146-0x000002F1F5820000-0x000002F1F5830000-memory.dmp

Filesize
64KB

Download
memory/4868-149-0x000002F1F5820000-0x000002F1F5830000-memory.dmp

Filesize
64KB

Download
memory/5000-144-0x0000019B51290000-0x0000019B512A0000-memory.dmp

Filesize
64KB

Download
memory/5000-145-0x0000019B51290000-0x0000019B512A0000-memory.dmp

Filesize
64KB

Download
memory/5000-151-0x0000019B51290000-0x0000019B512A0000-memory.dmp

Filesize
64KB

Download