5697fdf7c6a11b7a3d48d492976f820a0f9c1a2d49ada258c411924a4e3c816b

Analysis

max time kernel
43s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAS_AIO.cmd
Size

425KB
MD5

d3caa81fb77f8b2e90a81c47a43565c4
SHA1

9e47d9b039d325e66a22b874e4eb2d265669c4f3
SHA256

5697fdf7c6a11b7a3d48d492976f820a0f9c1a2d49ada258c411924a4e3c816b
SHA512

1bf881e71c5ae83b764a292fbafd12d6f7fb57547f7c064f434d81f36c5391b9ca97192d9988c27af5ac36870c9f69a5a66dfce0d95c01dee7e9b77af496022b
SSDEEP

3072:HR34RE57N9H7PIu0R/iNiYCCh3MPfiavbbJuAMTVFp6zGDNSCE2K6rOuW7EOGJGo:xjXEu0R6SChAbJu9p6zGDNS0K8OuD3

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1944	sc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2776	reg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1944	1264	cmd.exe	29
PID 1264 wrote to memory of 1944	1264	cmd.exe	29
PID 1264 wrote to memory of 1944	1264	cmd.exe	29
PID 1264 wrote to memory of 2136	1264	cmd.exe	30
PID 1264 wrote to memory of 2136	1264	cmd.exe	30
PID 1264 wrote to memory of 2136	1264	cmd.exe	30
PID 1264 wrote to memory of 2596	1264	cmd.exe	31
PID 1264 wrote to memory of 2596	1264	cmd.exe	31
PID 1264 wrote to memory of 2596	1264	cmd.exe	31
PID 1264 wrote to memory of 2128	1264	cmd.exe	32
PID 1264 wrote to memory of 2128	1264	cmd.exe	32
PID 1264 wrote to memory of 2128	1264	cmd.exe	32
PID 1264 wrote to memory of 1156	1264	cmd.exe	33
PID 1264 wrote to memory of 1156	1264	cmd.exe	33
PID 1264 wrote to memory of 1156	1264	cmd.exe	33
PID 1264 wrote to memory of 2332	1264	cmd.exe	34
PID 1264 wrote to memory of 2332	1264	cmd.exe	34
PID 1264 wrote to memory of 2332	1264	cmd.exe	34
PID 1264 wrote to memory of 2612	1264	cmd.exe	35
PID 1264 wrote to memory of 2612	1264	cmd.exe	35
PID 1264 wrote to memory of 2612	1264	cmd.exe	35
PID 1264 wrote to memory of 2652	1264	cmd.exe	36
PID 1264 wrote to memory of 2652	1264	cmd.exe	36
PID 1264 wrote to memory of 2652	1264	cmd.exe	36
PID 1264 wrote to memory of 2776	1264	cmd.exe	37
PID 1264 wrote to memory of 2776	1264	cmd.exe	37
PID 1264 wrote to memory of 2776	1264	cmd.exe	37
PID 1264 wrote to memory of 2704	1264	cmd.exe	38
PID 1264 wrote to memory of 2704	1264	cmd.exe	38
PID 1264 wrote to memory of 2704	1264	cmd.exe	38
PID 1264 wrote to memory of 2780	1264	cmd.exe	39
PID 1264 wrote to memory of 2780	1264	cmd.exe	39
PID 1264 wrote to memory of 2780	1264	cmd.exe	39
PID 2780 wrote to memory of 2632	2780	cmd.exe	40
PID 2780 wrote to memory of 2632	2780	cmd.exe	40
PID 2780 wrote to memory of 2632	2780	cmd.exe	40
PID 1264 wrote to memory of 2988	1264	cmd.exe	41
PID 1264 wrote to memory of 2988	1264	cmd.exe	41
PID 1264 wrote to memory of 2988	1264	cmd.exe	41
PID 1264 wrote to memory of 2132	1264	cmd.exe	42
PID 1264 wrote to memory of 2132	1264	cmd.exe	42
PID 1264 wrote to memory of 2132	1264	cmd.exe	42
PID 1264 wrote to memory of 2772	1264	cmd.exe	43
PID 1264 wrote to memory of 2772	1264	cmd.exe	43
PID 1264 wrote to memory of 2772	1264	cmd.exe	43
PID 1264 wrote to memory of 2792	1264	cmd.exe	44
PID 1264 wrote to memory of 2792	1264	cmd.exe	44
PID 1264 wrote to memory of 2792	1264	cmd.exe	44

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2136
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO.cmd"
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO.cmd" "
  2⤵
  PID:2332
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2612
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2652
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  - Modifies registry key
  PID:2776
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2632
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:2988
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2132
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2772
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt

Filesize
17B

MD5
c48de30a6d93de10929a00f17d725a24

SHA1
002e95b585f523b9f1dab14bdad2729032b1a81a

SHA256
96ba30bf853b79cd26e5399db76def0f6be3c936fc1263232937fbc8a0c8c5b5

SHA512
8657c3448c231484a7354b5bbf1cbc0377d0f49841baa67fdb8e6d162274470fa6128160209e9ee2d286172f0156aca0ab9a6440f4d5d69cab56612b4bc53b12

Download Submit
C:\Windows\Temp\`.txt

Filesize
64B

MD5
77d46f20e0040efbb88b3546e07ca3bc

SHA1
e96b144bd7bc5b26cb9adf58399353223d10f404

SHA256
4be35005732a8f6ca965235189ed6934bf6a4e3ba7c4e44f4291ed41752ec34c

SHA512
6fcd8a48a149b453459e35337c277ebb87a09bdcb899bdfeadf588ff3729b4f09edbb94213f99fda012f5f96a65cd21ac43de997b0391d6bf93795efe2e9acde

Download Submit