e22b39312f274bf684df96d1a69a0132987bef5dd97ad459cfe963f261dcf4e4

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft-Activation-Scripts-master/MAS/Separate-Files-Version/Check-Activation-Status-vbs.cmd
Size

8KB
MD5

945711798605ca089ebbf216f17867b9
SHA1

fe1c121fb983c2cfc979c36ee4731b7136b0135d
SHA256

1818e67562f5affc6dc8df40a3c62b64012bd2105f75befd372787949d5c2fae
SHA512

50216e05ec723d23a57214bb4363eb52b6f5005de48bfc7354026df5e049ecbac51243cb578c94a1e7fa831659b2a3f0cdf5f8faf29b037552b06ab21d5b77d8
SSDEEP

192:BhoO0d/IZIZazZ9VZ5jZfuZcQZ0pZfSy9C/sC/QiO4TEoz6t9+rV:PoO0dEIZad3Z5tficE0rfSyo/h/QiO4T

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
4056	reg.exe
1452	reg.exe
1040	reg.exe
4704	reg.exe
3512	reg.exe
3780	reg.exe
1900	reg.exe
4144	reg.exe
456	reg.exe
3944	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3056	2256	cmd.exe	84
PID 2256 wrote to memory of 3056	2256	cmd.exe	84
PID 2256 wrote to memory of 1676	2256	cmd.exe	85
PID 2256 wrote to memory of 1676	2256	cmd.exe	85
PID 1676 wrote to memory of 4304	1676	net.exe	86
PID 1676 wrote to memory of 4304	1676	net.exe	86
PID 2256 wrote to memory of 552	2256	cmd.exe	88
PID 2256 wrote to memory of 552	2256	cmd.exe	88
PID 2256 wrote to memory of 260	2256	cmd.exe	90
PID 2256 wrote to memory of 260	2256	cmd.exe	90
PID 2256 wrote to memory of 1584	2256	cmd.exe	91
PID 2256 wrote to memory of 1584	2256	cmd.exe	91
PID 1584 wrote to memory of 4144	1584	cmd.exe	92
PID 1584 wrote to memory of 4144	1584	cmd.exe	92
PID 2256 wrote to memory of 1404	2256	cmd.exe	93
PID 2256 wrote to memory of 1404	2256	cmd.exe	93
PID 1404 wrote to memory of 1040	1404	cmd.exe	94
PID 1404 wrote to memory of 1040	1404	cmd.exe	94
PID 2256 wrote to memory of 4596	2256	cmd.exe	95
PID 2256 wrote to memory of 4596	2256	cmd.exe	95
PID 4596 wrote to memory of 456	4596	cmd.exe	96
PID 4596 wrote to memory of 456	4596	cmd.exe	96
PID 2256 wrote to memory of 1172	2256	cmd.exe	97
PID 2256 wrote to memory of 1172	2256	cmd.exe	97
PID 1172 wrote to memory of 4704	1172	cmd.exe	98
PID 1172 wrote to memory of 4704	1172	cmd.exe	98
PID 2256 wrote to memory of 4768	2256	cmd.exe	99
PID 2256 wrote to memory of 4768	2256	cmd.exe	99
PID 4768 wrote to memory of 3944	4768	cmd.exe	100
PID 4768 wrote to memory of 3944	4768	cmd.exe	100
PID 2256 wrote to memory of 4128	2256	cmd.exe	101
PID 2256 wrote to memory of 4128	2256	cmd.exe	101
PID 4128 wrote to memory of 3512	4128	cmd.exe	102
PID 4128 wrote to memory of 3512	4128	cmd.exe	102
PID 2256 wrote to memory of 4056	2256	cmd.exe	103
PID 2256 wrote to memory of 4056	2256	cmd.exe	103
PID 2256 wrote to memory of 3668	2256	cmd.exe	104
PID 2256 wrote to memory of 3668	2256	cmd.exe	104
PID 3668 wrote to memory of 3780	3668	cmd.exe	105
PID 3668 wrote to memory of 3780	3668	cmd.exe	105
PID 2256 wrote to memory of 4744	2256	cmd.exe	106
PID 2256 wrote to memory of 4744	2256	cmd.exe	106
PID 2256 wrote to memory of 1792	2256	cmd.exe	110
PID 2256 wrote to memory of 1792	2256	cmd.exe	110
PID 1792 wrote to memory of 1900	1792	cmd.exe	111
PID 1792 wrote to memory of 1900	1792	cmd.exe	111
PID 2256 wrote to memory of 1452	2256	cmd.exe	112
PID 2256 wrote to memory of 1452	2256	cmd.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check-Activation-Status-vbs.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\findstr.exe
  findstr /v "$" "Check-Activation-Status-vbs.cmd"
  2⤵
  PID:3056
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:4304
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /dli
  2⤵
  PID:552
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /xpr
  2⤵
  PID:260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3512
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:3780
- C:\Windows\System32\cscript.exe
  cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
  2⤵
  PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1900
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit