fd88ca3df8d66708e121b661fc3028fd0dfc275e88c64b8ed34b0b9b9c04b6d2 | Triage

Analysis

max time kernel
238s
max time network
287s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 14:32

Sharing

Report Analysis Logs

General

Target

Activator/ActivationNextBoot.cmd
Size

1KB
MD5

c99d72a4e9bc43543aac21da48e99aac
SHA1

949edb7bac0cae8113eb34ada56b572d83f9f39b
SHA256

ea68e8f2a77b3c180734927c2be02e3452de5fbd9c4b60e3d703ad5ab088e0a0
SHA512

ea4312b6f9f2d61389d3dc743fea66a5de8083153bc82df2c4e5002518a48e8d162803027223889ebd8ae1b0adcc3e1fcd4b523c2a321497e64f6dbd1955f7ae

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2572	2596	cmd.exe	28
PID 2596 wrote to memory of 2572	2596	cmd.exe	28
PID 2596 wrote to memory of 2572	2596	cmd.exe	28
PID 2596 wrote to memory of 2456	2596	cmd.exe	29
PID 2596 wrote to memory of 2456	2596	cmd.exe	29
PID 2596 wrote to memory of 2456	2596	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\cscript.exe
  CSCRIPT C:\Windows\system32\slmgr.vbs -dli
  2⤵
  PID:2572
- C:\Windows\system32\findstr.exe
  FINDSTR "Licensed ½¿µÑ¡º¿ε"
  2⤵
  PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads