3eb2ef4c8a27cf98f7c566d56f28e1145c6cfd38183b5cf386e23de60ed38297

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft-Activation-Scripts-2.2/Microsoft-Activation-Scripts-2.2/MAS/Separate-Files-Version/Activators/HWID_Activation.cmd
Size

54KB
MD5

7ddb1766a6574fd10e29303e24272ad1
SHA1

c91185a98353e64ebd4707e26fbbffa5d4d7e7c3
SHA256

005f28b334a8f0bc0b611a616e6558127d21dfec43a163ed4536c2bb46477ef9
SHA512

756b28a6787dc2de0d0372901982d4c384a02cf5517aa944ed2cbb2cebd23c172200f9220faf725b089ea97c8f81c878cd7e602a73b8721c1f89114ebe03549f
SSDEEP

768:h2zZiOKJ5yorr997+3YWSWMxahF438mpr8Fp9lvCRdi5NEjS+C7S4jFh0z1E6yfH:oi3yg2MxMMUflsdi54Em0Iy6yP4Nm36s

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2788	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	powershell.exe
2640	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2788	2448	cmd.exe	29
PID 2448 wrote to memory of 2788	2448	cmd.exe	29
PID 2448 wrote to memory of 2788	2448	cmd.exe	29
PID 2448 wrote to memory of 3028	2448	cmd.exe	30
PID 2448 wrote to memory of 3028	2448	cmd.exe	30
PID 2448 wrote to memory of 3028	2448	cmd.exe	30
PID 2448 wrote to memory of 2908	2448	cmd.exe	31
PID 2448 wrote to memory of 2908	2448	cmd.exe	31
PID 2448 wrote to memory of 2908	2448	cmd.exe	31
PID 2448 wrote to memory of 2420	2448	cmd.exe	32
PID 2448 wrote to memory of 2420	2448	cmd.exe	32
PID 2448 wrote to memory of 2420	2448	cmd.exe	32
PID 2448 wrote to memory of 1984	2448	cmd.exe	33
PID 2448 wrote to memory of 1984	2448	cmd.exe	33
PID 2448 wrote to memory of 1984	2448	cmd.exe	33
PID 2448 wrote to memory of 2640	2448	cmd.exe	34
PID 2448 wrote to memory of 2640	2448	cmd.exe	34
PID 2448 wrote to memory of 2640	2448	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-2.2\Microsoft-Activation-Scripts-2.2\MAS\Separate-Files-Version\Activators\HWID_Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2788
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:3028
- C:\Windows\System32\findstr.exe
  findstr /v "$" "HWID_Activation.cmd"
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Exit..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95e5bda76980d8a7c2ad926683f721b4

SHA1
c20c968200f728972ae179bad3287506d1752f41

SHA256
dd51cc50e7e779e86f8fc732d71ade18b1d5836fda837ed7a1b215f87c5bdcf7

SHA512
b5799e5a8446dd7498e8f03c1eb0edf16982e5b52519e2dd3bc317cb71d0fc8e1df12f414f594894fad8e62b4f8277714c54e80c72c1d851fc6d418fa4b947ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7FKFZWHXZI3J5CUMFGT.temp

Filesize
7KB

MD5
95e5bda76980d8a7c2ad926683f721b4

SHA1
c20c968200f728972ae179bad3287506d1752f41

SHA256
dd51cc50e7e779e86f8fc732d71ade18b1d5836fda837ed7a1b215f87c5bdcf7

SHA512
b5799e5a8446dd7498e8f03c1eb0edf16982e5b52519e2dd3bc317cb71d0fc8e1df12f414f594894fad8e62b4f8277714c54e80c72c1d851fc6d418fa4b947ae

Download Submit
memory/1984-9-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1984-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1984-8-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1984-4-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1984-10-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-11-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1984-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-6-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1984-5-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-19-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2640-20-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2640-18-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2640-22-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2640-21-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2640-23-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2640-24-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2640-25-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2640-26-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download