7d516ecf1b5ab7eba36ac40dd7829568d8df808ea0433183792ffea15487887d

Analysis

max time kernel
128s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
20/09/2023, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

W10 Digital License Activation Script.cmd
Size

16KB
MD5

07de7c3f3a216bbabda6700388544863
SHA1

c2a6e6cca96fb3f32f4c72f011975b195a229898
SHA256

7d516ecf1b5ab7eba36ac40dd7829568d8df808ea0433183792ffea15487887d
SHA512

aa41ae38bbd8e425eb7d07738db9dfdb7aa5904c23708e31dc9f0c5078d1076bae972a3cb7118bacef9167b1a1c1d1bf6fb409ea2a8f0a0ed56abdd543667311
SSDEEP

192:COmBK1VhT6Qu5V91L0RQxTcyDKyDR2PtWdGfLYbzVDrjQQf9erdjsmyY:CpK/yBVF2PtcGTYX6IeRqY

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3008	timeout.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4012	WMIC.exe
Token: SeSecurityPrivilege	4012	WMIC.exe
Token: SeTakeOwnershipPrivilege	4012	WMIC.exe
Token: SeLoadDriverPrivilege	4012	WMIC.exe
Token: SeSystemProfilePrivilege	4012	WMIC.exe
Token: SeSystemtimePrivilege	4012	WMIC.exe
Token: SeProfSingleProcessPrivilege	4012	WMIC.exe
Token: SeIncBasePriorityPrivilege	4012	WMIC.exe
Token: SeCreatePagefilePrivilege	4012	WMIC.exe
Token: SeBackupPrivilege	4012	WMIC.exe
Token: SeRestorePrivilege	4012	WMIC.exe
Token: SeShutdownPrivilege	4012	WMIC.exe
Token: SeDebugPrivilege	4012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4012	WMIC.exe
Token: SeRemoteShutdownPrivilege	4012	WMIC.exe
Token: SeUndockPrivilege	4012	WMIC.exe
Token: SeManageVolumePrivilege	4012	WMIC.exe
Token: 33	4012	WMIC.exe
Token: 34	4012	WMIC.exe
Token: 35	4012	WMIC.exe
Token: 36	4012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4012	WMIC.exe
Token: SeSecurityPrivilege	4012	WMIC.exe
Token: SeTakeOwnershipPrivilege	4012	WMIC.exe
Token: SeLoadDriverPrivilege	4012	WMIC.exe
Token: SeSystemProfilePrivilege	4012	WMIC.exe
Token: SeSystemtimePrivilege	4012	WMIC.exe
Token: SeProfSingleProcessPrivilege	4012	WMIC.exe
Token: SeIncBasePriorityPrivilege	4012	WMIC.exe
Token: SeCreatePagefilePrivilege	4012	WMIC.exe
Token: SeBackupPrivilege	4012	WMIC.exe
Token: SeRestorePrivilege	4012	WMIC.exe
Token: SeShutdownPrivilege	4012	WMIC.exe
Token: SeDebugPrivilege	4012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4012	WMIC.exe
Token: SeRemoteShutdownPrivilege	4012	WMIC.exe
Token: SeUndockPrivilege	4012	WMIC.exe
Token: SeManageVolumePrivilege	4012	WMIC.exe
Token: 33	4012	WMIC.exe
Token: 34	4012	WMIC.exe
Token: 35	4012	WMIC.exe
Token: 36	4012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: 36	816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3456	4576	cmd.exe	70
PID 4576 wrote to memory of 3456	4576	cmd.exe	70
PID 4576 wrote to memory of 3876	4576	cmd.exe	71
PID 4576 wrote to memory of 3876	4576	cmd.exe	71
PID 3876 wrote to memory of 4012	3876	cmd.exe	72
PID 3876 wrote to memory of 4012	3876	cmd.exe	72
PID 4576 wrote to memory of 1524	4576	cmd.exe	74
PID 4576 wrote to memory of 1524	4576	cmd.exe	74
PID 1524 wrote to memory of 816	1524	cmd.exe	75
PID 1524 wrote to memory of 816	1524	cmd.exe	75
PID 4576 wrote to memory of 3516	4576	cmd.exe	76
PID 4576 wrote to memory of 3516	4576	cmd.exe	76
PID 4576 wrote to memory of 212	4576	cmd.exe	77
PID 4576 wrote to memory of 212	4576	cmd.exe	77
PID 4576 wrote to memory of 4932	4576	cmd.exe	78
PID 4576 wrote to memory of 4932	4576	cmd.exe	78
PID 4576 wrote to memory of 4124	4576	cmd.exe	79
PID 4576 wrote to memory of 4124	4576	cmd.exe	79
PID 4124 wrote to memory of 4580	4124	cmd.exe	80
PID 4124 wrote to memory of 4580	4124	cmd.exe	80
PID 4576 wrote to memory of 220	4576	cmd.exe	81
PID 4576 wrote to memory of 220	4576	cmd.exe	81
PID 220 wrote to memory of 204	220	cmd.exe	82
PID 220 wrote to memory of 204	220	cmd.exe	82
PID 4576 wrote to memory of 4416	4576	cmd.exe	83
PID 4576 wrote to memory of 4416	4576	cmd.exe	83
PID 4576 wrote to memory of 4264	4576	cmd.exe	84
PID 4576 wrote to memory of 4264	4576	cmd.exe	84
PID 4576 wrote to memory of 4936	4576	cmd.exe	85
PID 4576 wrote to memory of 4936	4576	cmd.exe	85
PID 4576 wrote to memory of 5020	4576	cmd.exe	86
PID 4576 wrote to memory of 5020	4576	cmd.exe	86
PID 4576 wrote to memory of 1684	4576	cmd.exe	89
PID 4576 wrote to memory of 1684	4576	cmd.exe	89
PID 4576 wrote to memory of 4924	4576	cmd.exe	90
PID 4576 wrote to memory of 4924	4576	cmd.exe	90
PID 4576 wrote to memory of 2256	4576	cmd.exe	91
PID 4576 wrote to memory of 2256	4576	cmd.exe	91
PID 4576 wrote to memory of 3488	4576	cmd.exe	92
PID 4576 wrote to memory of 3488	4576	cmd.exe	92
PID 4576 wrote to memory of 4228	4576	cmd.exe	93
PID 4576 wrote to memory of 4228	4576	cmd.exe	93
PID 4576 wrote to memory of 3008	4576	cmd.exe	98
PID 4576 wrote to memory of 3008	4576	cmd.exe	98
PID 4576 wrote to memory of 4592	4576	cmd.exe	99
PID 4576 wrote to memory of 4592	4576	cmd.exe	99
PID 4576 wrote to memory of 3500	4576	cmd.exe	102
PID 4576 wrote to memory of 3500	4576	cmd.exe	102
PID 4576 wrote to memory of 4412	4576	cmd.exe	103
PID 4576 wrote to memory of 4412	4576	cmd.exe	103
PID 4576 wrote to memory of 3228	4576	cmd.exe	104
PID 4576 wrote to memory of 3228	4576	cmd.exe	104
PID 3228 wrote to memory of 1592	3228	cmd.exe	105
PID 3228 wrote to memory of 1592	3228	cmd.exe	105
PID 4576 wrote to memory of 1088	4576	cmd.exe	106
PID 4576 wrote to memory of 1088	4576	cmd.exe	106
PID 1088 wrote to memory of 4252	1088	cmd.exe	107
PID 1088 wrote to memory of 4252	1088	cmd.exe	107
PID 4576 wrote to memory of 4368	4576	cmd.exe	108
PID 4576 wrote to memory of 4368	4576	cmd.exe	108
PID 4576 wrote to memory of 828	4576	cmd.exe	109
PID 4576 wrote to memory of 828	4576	cmd.exe	109
PID 4576 wrote to memory of 344	4576	cmd.exe	110
PID 4576 wrote to memory of 344	4576	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\W10 Digital License Activation Script.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get Version /format:LIST
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:3516
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /dli
  2⤵
  PID:212
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /xpr
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get Version /format:LIST
    3⤵
    PID:204
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4416
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name
  2⤵
  PID:4264
- C:\Windows\system32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:4936
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  PID:5020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name
  2⤵
  PID:1684
- C:\Windows\system32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens" /v "Channel" /t REG_SZ /d "Retail" /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Kernel-ProductInfo" /t REG_DWORD /d 48 /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1 /f
  2⤵
  PID:4228
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:3008
- C:\Windows\system32\ClipUp.exe
  clipup -v -o -altto bin\
  2⤵
  PID:4592
- - C:\Windows\system32\clipup.exe
    clipup -v -o -altto bin\ -ppl C:\Users\Admin\AppData\Local\Temp\tem4522.tmp
    3⤵
    PID:4588
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ato
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\Tokens" /f
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get Version /format:LIST
    3⤵
    PID:4252
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4368
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /dli
  2⤵
  PID:828
- C:\Windows\system32\cscript.exe
  cscript //nologo C:\Windows\System32\slmgr.vbs /xpr
  2⤵
  PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  PID:920
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
  2⤵
  PID:380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic Path Win32_OperatingSystem Get Version /format:LIST
    3⤵
    PID:1312
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem4522.tmp

Filesize
230B

MD5
62bb58da510ecb05194b2199ef7889ef

SHA1
8f0e4f6d9776cbde466a6f4b51f6b43a22b5af1f

SHA256
33d3fe617709057bdf5feec1df85a1f6ea33f2e2443c0f10a7819a78bb3abf31

SHA512
9a07668211c476e10636ee7f6f2cab9435e73a3c07b2e5ba54ab9fec28ae71c47c16a798a9e0733c6eb08d7e620806b2ef624fa984675a9aaa4bfbe574cae65d

Download Submit
memory/4588-12-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-22-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-29-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-19-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-14-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-16-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-21-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4588-17-0x00000266F4B70000-0x00000266F4B80000-memory.dmp

Filesize
64KB

Download
memory/4592-8-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-4-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-24-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-6-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-26-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-27-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-9-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download
memory/4592-30-0x00000220DAB40000-0x00000220DAB50000-memory.dmp

Filesize
64KB

Download