e22b39312f274bf684df96d1a69a0132987bef5dd97ad459cfe963f261dcf4e4

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-10-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft-Activation-Scripts-master/MAS/Separate-Files-Version/Activators/KMS38_Activation.cmd
Size

54KB
MD5

dccae2b581bcc7db35823e105ea23d1b
SHA1

c1a4a98bfc33a255c101404ad5b04f2caca92a0a
SHA256

d6877ca942cdc3da249f186b80967e4f787db2919bb01fb29bf57be9a0d0c3d8
SHA512

64abd95cbb6ffbebe1e09fae09902a867a21117b171b0d2d99ddd1d058e060f2fee7cf2eebd8a00ff0ad631c36fdc693d7a14ec7a040eac0388581c2ad8dab47
SSDEEP

1536:xD83yqy0xDSPfGo6nNm85Yu341Em0Iy+lVTt3rA6s:xY3MPf/15jvg

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2548	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	powershell.exe
2436	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2548	2308	cmd.exe	29
PID 2308 wrote to memory of 2548	2308	cmd.exe	29
PID 2308 wrote to memory of 2548	2308	cmd.exe	29
PID 2308 wrote to memory of 2660	2308	cmd.exe	30
PID 2308 wrote to memory of 2660	2308	cmd.exe	30
PID 2308 wrote to memory of 2660	2308	cmd.exe	30
PID 2308 wrote to memory of 2852	2308	cmd.exe	31
PID 2308 wrote to memory of 2852	2308	cmd.exe	31
PID 2308 wrote to memory of 2852	2308	cmd.exe	31
PID 2308 wrote to memory of 2556	2308	cmd.exe	32
PID 2308 wrote to memory of 2556	2308	cmd.exe	32
PID 2308 wrote to memory of 2556	2308	cmd.exe	32
PID 2308 wrote to memory of 2708	2308	cmd.exe	33
PID 2308 wrote to memory of 2708	2308	cmd.exe	33
PID 2308 wrote to memory of 2708	2308	cmd.exe	33
PID 2308 wrote to memory of 2436	2308	cmd.exe	34
PID 2308 wrote to memory of 2436	2308	cmd.exe	34
PID 2308 wrote to memory of 2436	2308	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2548
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2660
- C:\Windows\System32\findstr.exe
  findstr /v "$" "KMS38_Activation.cmd"
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Exit..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5336X273AJKSZBTJJK0J.temp

Filesize
7KB

MD5
22ddb310e5d2d848f88b0c6f4eb93b71

SHA1
5058f5ef822b8a44a250380c25b7f66837b800b5

SHA256
c530e00c2395e182cf8765f263cd5109835a167df3378fa8445ee64dd2d7ad24

SHA512
aee51caa2507b2ac5f753da6972e63049b61237386dae961dd4d595f95c13354e40f790cefdf2dae4ee447ac14cd7038b575bc1bef3c91788d3cae5598929626

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22ddb310e5d2d848f88b0c6f4eb93b71

SHA1
5058f5ef822b8a44a250380c25b7f66837b800b5

SHA256
c530e00c2395e182cf8765f263cd5109835a167df3378fa8445ee64dd2d7ad24

SHA512
aee51caa2507b2ac5f753da6972e63049b61237386dae961dd4d595f95c13354e40f790cefdf2dae4ee447ac14cd7038b575bc1bef3c91788d3cae5598929626

Download Submit
memory/2436-19-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2436-18-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-23-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-22-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2436-21-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2436-20-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2436-16-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-15-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-17-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2708-7-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-4-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2708-5-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download
memory/2708-6-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-8-0x0000000002B94000-0x0000000002B97000-memory.dmp

Filesize
12KB

Download
memory/2708-9-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download