d8b74318a56f64def23e9e9135a5c22d3fbf260a8d0bdf742746c72f66cc4d61

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/03/2023, 00:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HWID_Activation.cmd
Size

47KB
MD5

1298532e2edd34f5173a258616971480
SHA1

00e437aaa563eb4ac759f17cefcb6e3e467ec5a1
SHA256

d8b74318a56f64def23e9e9135a5c22d3fbf260a8d0bdf742746c72f66cc4d61
SHA512

fe74d5ee1773fd31ed83b1f3e0d111139739c5d3206e9b86d93ee0b653af6100187afa6c008c8d8f7db04d1fee8838063ae50ab1b55e7b2d9642e645f5f537bd
SSDEEP

768:bYnwJ5yDEuqPxHp19lUdizH8+KGwF6K8z1JKD/Wk1amrc6/:V3yQu2xHllUdizHWGwopza/Wfmw6/

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	powershell.exe
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2032	1104	cmd.exe	28
PID 1104 wrote to memory of 2032	1104	cmd.exe	28
PID 1104 wrote to memory of 2032	1104	cmd.exe	28
PID 1104 wrote to memory of 2036	1104	cmd.exe	29
PID 1104 wrote to memory of 2036	1104	cmd.exe	29
PID 1104 wrote to memory of 2036	1104	cmd.exe	29
PID 1104 wrote to memory of 1740	1104	cmd.exe	30
PID 1104 wrote to memory of 1740	1104	cmd.exe	30
PID 1104 wrote to memory of 1740	1104	cmd.exe	30
PID 1104 wrote to memory of 1876	1104	cmd.exe	31
PID 1104 wrote to memory of 1876	1104	cmd.exe	31
PID 1104 wrote to memory of 1876	1104	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\HWID_Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "HWID_Activation.cmd"
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Exit..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L37B6577388JU4Q5EA5.temp

Filesize
7KB

MD5
26f738753c46cf7a7d670c73e5e13501

SHA1
f88791a669e8a473dac95bbd8446b86487433259

SHA256
ab4ac59b0e10b520dd07996cd0d84a21c3908b7167a60ad7318dd4d10791c751

SHA512
6497f90936ae75a92b1da710eead7df97c1697f256fa3c7adf711a6781fa47619d2307882a4c8c7eb285d22882145515d4f2538f4a6cf2b7775b70561b968ab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
26f738753c46cf7a7d670c73e5e13501

SHA1
f88791a669e8a473dac95bbd8446b86487433259

SHA256
ab4ac59b0e10b520dd07996cd0d84a21c3908b7167a60ad7318dd4d10791c751

SHA512
6497f90936ae75a92b1da710eead7df97c1697f256fa3c7adf711a6781fa47619d2307882a4c8c7eb285d22882145515d4f2538f4a6cf2b7775b70561b968ab7

Download Submit
memory/1740-61-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1740-58-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1740-62-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1740-63-0x00000000025BB000-0x00000000025F2000-memory.dmp

Filesize
220KB

Download
memory/1740-60-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/1740-59-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1876-69-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/1876-70-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/1876-71-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1876-72-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1876-73-0x000000000282B000-0x0000000002862000-memory.dmp

Filesize
220KB

Download