e22b39312f274bf684df96d1a69a0132987bef5dd97ad459cfe963f261dcf4e4

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft-Activation-Scripts-master/MAS/Separate-Files-Version/Check-Activation-Status-wmi.cmd
Size

18KB
MD5

55ea790635e39d3cfce2ae6d4af60417
SHA1

70f1c2357ef3ca85cc92bb8cbfaac3a586e85e50
SHA256

4dd86774e105d60589f0540f6d93e0f43942fa32203853b8dcea52035f50a0f9
SHA512

cbbbcb1fabfa6b13c7c7fddb95d269a3cd752c2c568fa676ee3f7536a0095b4255ec17d4ac896b2e97bcc0000c3eb5c22a9eab27d1e994aa1167a3af4b2da2f4
SSDEEP

384:AeI7EnXfdwyo44hN8ivJ9EaRVVY7UTdPU0EGT0SGFX:AecGyWaNY7wdVEGQSGR

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2492	sc.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2056	2972	cmd.exe	29
PID 2972 wrote to memory of 2056	2972	cmd.exe	29
PID 2972 wrote to memory of 2056	2972	cmd.exe	29
PID 2972 wrote to memory of 2272	2972	cmd.exe	30
PID 2972 wrote to memory of 2272	2972	cmd.exe	30
PID 2972 wrote to memory of 2272	2972	cmd.exe	30
PID 2972 wrote to memory of 2340	2972	cmd.exe	31
PID 2972 wrote to memory of 2340	2972	cmd.exe	31
PID 2972 wrote to memory of 2340	2972	cmd.exe	31
PID 2972 wrote to memory of 2736	2972	cmd.exe	32
PID 2972 wrote to memory of 2736	2972	cmd.exe	32
PID 2972 wrote to memory of 2736	2972	cmd.exe	32
PID 2972 wrote to memory of 2492	2972	cmd.exe	34
PID 2972 wrote to memory of 2492	2972	cmd.exe	34
PID 2972 wrote to memory of 2492	2972	cmd.exe	34
PID 2972 wrote to memory of 2656	2972	cmd.exe	35
PID 2972 wrote to memory of 2656	2972	cmd.exe	35
PID 2972 wrote to memory of 2656	2972	cmd.exe	35
PID 2656 wrote to memory of 2872	2656	net.exe	36
PID 2656 wrote to memory of 2872	2656	net.exe	36
PID 2656 wrote to memory of 2872	2656	net.exe	36
PID 2972 wrote to memory of 2648	2972	cmd.exe	37
PID 2972 wrote to memory of 2648	2972	cmd.exe	37
PID 2972 wrote to memory of 2648	2972	cmd.exe	37
PID 2972 wrote to memory of 2520	2972	cmd.exe	38
PID 2972 wrote to memory of 2520	2972	cmd.exe	38
PID 2972 wrote to memory of 2520	2972	cmd.exe	38
PID 2972 wrote to memory of 2600	2972	cmd.exe	39
PID 2972 wrote to memory of 2600	2972	cmd.exe	39
PID 2972 wrote to memory of 2600	2972	cmd.exe	39
PID 2600 wrote to memory of 2484	2600	net.exe	40
PID 2600 wrote to memory of 2484	2600	net.exe	40
PID 2600 wrote to memory of 2484	2600	net.exe	40
PID 2972 wrote to memory of 656	2972	cmd.exe	44
PID 2972 wrote to memory of 656	2972	cmd.exe	44
PID 2972 wrote to memory of 656	2972	cmd.exe	44
PID 2972 wrote to memory of 268	2972	cmd.exe	45
PID 2972 wrote to memory of 268	2972	cmd.exe	45
PID 2972 wrote to memory of 268	2972	cmd.exe	45
PID 2972 wrote to memory of 1484	2972	cmd.exe	47
PID 2972 wrote to memory of 1484	2972	cmd.exe	47
PID 2972 wrote to memory of 1484	2972	cmd.exe	47
PID 2972 wrote to memory of 1492	2972	cmd.exe	48
PID 2972 wrote to memory of 1492	2972	cmd.exe	48
PID 2972 wrote to memory of 1492	2972	cmd.exe	48
PID 2972 wrote to memory of 932	2972	cmd.exe	49
PID 2972 wrote to memory of 932	2972	cmd.exe	49
PID 2972 wrote to memory of 932	2972	cmd.exe	49
PID 932 wrote to memory of 2472	932	cmd.exe	50
PID 932 wrote to memory of 2472	932	cmd.exe	50
PID 932 wrote to memory of 2472	932	cmd.exe	50
PID 2972 wrote to memory of 2808	2972	cmd.exe	51
PID 2972 wrote to memory of 2808	2972	cmd.exe	51
PID 2972 wrote to memory of 2808	2972	cmd.exe	51
PID 2808 wrote to memory of 2804	2808	cmd.exe	52
PID 2808 wrote to memory of 2804	2808	cmd.exe	52
PID 2808 wrote to memory of 2804	2808	cmd.exe	52
PID 2808 wrote to memory of 2676	2808	cmd.exe	53
PID 2808 wrote to memory of 2676	2808	cmd.exe	53
PID 2808 wrote to memory of 2676	2808	cmd.exe	53
PID 2972 wrote to memory of 1848	2972	cmd.exe	54
PID 2972 wrote to memory of 1848	2972	cmd.exe	54
PID 2972 wrote to memory of 1848	2972	cmd.exe	54
PID 2972 wrote to memory of 820	2972	cmd.exe	55

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check-Activation-Status-wmi.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2056
- C:\Windows\System32\findstr.exe
  findstr /v "$" "Check-Activation-Status-wmi.cmd"
  2⤵
  PID:2272
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:2736
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2492
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:2872
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\findstr.exe
  findstr /i ID
  2⤵
  PID:2520
- C:\Windows\System32\net.exe
  net start osppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start osppsvc /y
    3⤵
    PID:2484
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (ApplicationID='59a52881-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
  2⤵
  PID:656
- C:\Windows\System32\findstr.exe
  findstr /i ID
  2⤵
  PID:268
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
  2⤵
  PID:1484
- C:\Windows\System32\findstr.exe
  findstr /i ID
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval /value" | findstr =
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval /value
    3⤵
    PID:2804
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows Operating System - Windows(R) 7, RETAIL channel"
  2⤵
  PID:1848
- C:\Windows\System32\findstr.exe
  findstr /i VOLUME_KMSCLIENT
  2⤵
  PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows Operating System - Windows(R) 7, RETAIL channel"
  2⤵
  PID:2404
- C:\Windows\System32\findstr.exe
  findstr /i TIMEBASED_
  2⤵
  PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Windows Operating System - Windows(R) 7, RETAIL channel"
  2⤵
  PID:2852
- C:\Windows\System32\findstr.exe
  findstr /i VIRTUAL_MACHINE_ACTIVATION
  2⤵
  PID:1932
- C:\Windows\System32\cmd.exe
  cmd /c exit /b -1073418231
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (ApplicationID='59a52881-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
  2⤵
  PID:2016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (ApplicationID='59a52881-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval /value" | findstr =
  2⤵
  PID:1044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval /value
    3⤵
    PID:852
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 14, VOLUME_KMSCLIENT channel"
  2⤵
  PID:2440
- C:\Windows\System32\findstr.exe
  findstr /i VOLUME_KMSCLIENT
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 14, VOLUME_KMSCLIENT channel"
  2⤵
  PID:2008
- C:\Windows\System32\findstr.exe
  findstr /i TIMEBASED_
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Office 14, VOLUME_KMSCLIENT channel"
  2⤵
  PID:1732
- C:\Windows\System32\findstr.exe
  findstr /i VIRTUAL_MACHINE_ACTIVATION
  2⤵
  PID:2400
- C:\Windows\System32\cmd.exe
  cmd /c exit /b -1073418154
  2⤵
  PID:308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
  2⤵
  PID:2812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService get ClientMachineID, KeyManagementServiceHostCaching /value
    3⤵
    PID:2160
- - C:\Windows\System32\findstr.exe
    findstr =
    3⤵
    PID:1328

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads