e22b39312f274bf684df96d1a69a0132987bef5dd97ad459cfe963f261dcf4e4

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft-Activation-Scripts-master/MAS/Separate-Files-Version/Check-Activation-Status-vbs.cmd
Size

8KB
MD5

945711798605ca089ebbf216f17867b9
SHA1

fe1c121fb983c2cfc979c36ee4731b7136b0135d
SHA256

1818e67562f5affc6dc8df40a3c62b64012bd2105f75befd372787949d5c2fae
SHA512

50216e05ec723d23a57214bb4363eb52b6f5005de48bfc7354026df5e049ecbac51243cb578c94a1e7fa831659b2a3f0cdf5f8faf29b037552b06ab21d5b77d8
SSDEEP

192:BhoO0d/IZIZazZ9VZ5jZfuZcQZ0pZfSy9C/sC/QiO4TEoz6t9+rV:PoO0dEIZad3Z5tficE0rfSyo/h/QiO4T

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
2548	reg.exe
2496	reg.exe
2884	reg.exe
1904	reg.exe
2864	reg.exe
2900	reg.exe
1048	reg.exe
2876	reg.exe
2552	reg.exe
2052	reg.exe
2660	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2244	3036	cmd.exe	29
PID 3036 wrote to memory of 2244	3036	cmd.exe	29
PID 3036 wrote to memory of 2244	3036	cmd.exe	29
PID 3036 wrote to memory of 2036	3036	cmd.exe	30
PID 3036 wrote to memory of 2036	3036	cmd.exe	30
PID 3036 wrote to memory of 2036	3036	cmd.exe	30
PID 2036 wrote to memory of 1956	2036	net.exe	31
PID 2036 wrote to memory of 1956	2036	net.exe	31
PID 2036 wrote to memory of 1956	2036	net.exe	31
PID 3036 wrote to memory of 2204	3036	cmd.exe	32
PID 3036 wrote to memory of 2204	3036	cmd.exe	32
PID 3036 wrote to memory of 2204	3036	cmd.exe	32
PID 3036 wrote to memory of 2752	3036	cmd.exe	34
PID 3036 wrote to memory of 2752	3036	cmd.exe	34
PID 3036 wrote to memory of 2752	3036	cmd.exe	34
PID 3036 wrote to memory of 2788	3036	cmd.exe	35
PID 3036 wrote to memory of 2788	3036	cmd.exe	35
PID 3036 wrote to memory of 2788	3036	cmd.exe	35
PID 2788 wrote to memory of 2052	2788	cmd.exe	36
PID 2788 wrote to memory of 2052	2788	cmd.exe	36
PID 2788 wrote to memory of 2052	2788	cmd.exe	36
PID 3036 wrote to memory of 2520	3036	cmd.exe	37
PID 3036 wrote to memory of 2520	3036	cmd.exe	37
PID 3036 wrote to memory of 2520	3036	cmd.exe	37
PID 2520 wrote to memory of 2900	2520	cmd.exe	38
PID 2520 wrote to memory of 2900	2520	cmd.exe	38
PID 2520 wrote to memory of 2900	2520	cmd.exe	38
PID 3036 wrote to memory of 2928	3036	cmd.exe	39
PID 3036 wrote to memory of 2928	3036	cmd.exe	39
PID 3036 wrote to memory of 2928	3036	cmd.exe	39
PID 2928 wrote to memory of 1048	2928	cmd.exe	40
PID 2928 wrote to memory of 1048	2928	cmd.exe	40
PID 2928 wrote to memory of 1048	2928	cmd.exe	40
PID 3036 wrote to memory of 2628	3036	cmd.exe	41
PID 3036 wrote to memory of 2628	3036	cmd.exe	41
PID 3036 wrote to memory of 2628	3036	cmd.exe	41
PID 2628 wrote to memory of 2660	2628	cmd.exe	42
PID 2628 wrote to memory of 2660	2628	cmd.exe	42
PID 2628 wrote to memory of 2660	2628	cmd.exe	42
PID 3036 wrote to memory of 1076	3036	cmd.exe	43
PID 3036 wrote to memory of 1076	3036	cmd.exe	43
PID 3036 wrote to memory of 1076	3036	cmd.exe	43
PID 1076 wrote to memory of 2548	1076	cmd.exe	44
PID 1076 wrote to memory of 2548	1076	cmd.exe	44
PID 1076 wrote to memory of 2548	1076	cmd.exe	44
PID 3036 wrote to memory of 2768	3036	cmd.exe	45
PID 3036 wrote to memory of 2768	3036	cmd.exe	45
PID 3036 wrote to memory of 2768	3036	cmd.exe	45
PID 2768 wrote to memory of 2496	2768	cmd.exe	46
PID 2768 wrote to memory of 2496	2768	cmd.exe	46
PID 2768 wrote to memory of 2496	2768	cmd.exe	46
PID 3036 wrote to memory of 2504	3036	cmd.exe	47
PID 3036 wrote to memory of 2504	3036	cmd.exe	47
PID 3036 wrote to memory of 2504	3036	cmd.exe	47
PID 3036 wrote to memory of 2884	3036	cmd.exe	50
PID 3036 wrote to memory of 2884	3036	cmd.exe	50
PID 3036 wrote to memory of 2884	3036	cmd.exe	50
PID 3036 wrote to memory of 2876	3036	cmd.exe	51
PID 3036 wrote to memory of 2876	3036	cmd.exe	51
PID 3036 wrote to memory of 2876	3036	cmd.exe	51
PID 3036 wrote to memory of 1904	3036	cmd.exe	52
PID 3036 wrote to memory of 1904	3036	cmd.exe	52
PID 3036 wrote to memory of 1904	3036	cmd.exe	52
PID 3036 wrote to memory of 2864	3036	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check-Activation-Status-vbs.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\findstr.exe
  findstr /v "$" "Check-Activation-Status-vbs.cmd"
  2⤵
  PID:2244
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:1956
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /dli
  2⤵
  PID:2204
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /xpr
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2496
- C:\Windows\System32\cscript.exe
  cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\\ospp.vbs" /dstatus
  2⤵
  PID:2504
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2884
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2876
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:1904
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2864
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit