6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25/11/2023, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Separate-Files-Version/Activators/Check-Activation-Status-vbs.cmd
Size

6KB
MD5

b568aff717984da1f7c8b9cf522fb1e8
SHA1

c00cd43aa95e8221b8ee6a9e758eb7b128139997
SHA256

77ba40dcde775f0a7fb46182296a5b8f5f1150ed81d0759561f2100727344bc8
SHA512

a5648a0af05acc36601208c97f572e09a74065a7b4f2e1d4c333da842c3aa46917e03e464422fa7f4134b90937048380c2699eaddf39f71fe2c9092c2d08c248
SSDEEP

192:BDO0diZIZazZ9VZ5jZfuZcQZ0pZfSy9C/sC/QiO4TEoz6t9+r4:BO0d+IZad3Z5tficE0rfSyo/h/QiO4Ti

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
2400	reg.exe
2684	reg.exe
2628	reg.exe
2584	reg.exe
3016	reg.exe
2800	reg.exe
2384	reg.exe
856	reg.exe
2524	reg.exe
2544	reg.exe
2500	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1976	2232	cmd.exe	29
PID 2232 wrote to memory of 1976	2232	cmd.exe	29
PID 2232 wrote to memory of 1976	2232	cmd.exe	29
PID 1976 wrote to memory of 1752	1976	net.exe	30
PID 1976 wrote to memory of 1752	1976	net.exe	30
PID 1976 wrote to memory of 1752	1976	net.exe	30
PID 2232 wrote to memory of 2696	2232	cmd.exe	31
PID 2232 wrote to memory of 2696	2232	cmd.exe	31
PID 2232 wrote to memory of 2696	2232	cmd.exe	31
PID 2232 wrote to memory of 2768	2232	cmd.exe	33
PID 2232 wrote to memory of 2768	2232	cmd.exe	33
PID 2232 wrote to memory of 2768	2232	cmd.exe	33
PID 2232 wrote to memory of 2708	2232	cmd.exe	34
PID 2232 wrote to memory of 2708	2232	cmd.exe	34
PID 2232 wrote to memory of 2708	2232	cmd.exe	34
PID 2708 wrote to memory of 856	2708	cmd.exe	35
PID 2708 wrote to memory of 856	2708	cmd.exe	35
PID 2708 wrote to memory of 856	2708	cmd.exe	35
PID 2232 wrote to memory of 2688	2232	cmd.exe	36
PID 2232 wrote to memory of 2688	2232	cmd.exe	36
PID 2232 wrote to memory of 2688	2232	cmd.exe	36
PID 2688 wrote to memory of 2684	2688	cmd.exe	37
PID 2688 wrote to memory of 2684	2688	cmd.exe	37
PID 2688 wrote to memory of 2684	2688	cmd.exe	37
PID 2232 wrote to memory of 2576	2232	cmd.exe	38
PID 2232 wrote to memory of 2576	2232	cmd.exe	38
PID 2232 wrote to memory of 2576	2232	cmd.exe	38
PID 2576 wrote to memory of 2628	2576	cmd.exe	39
PID 2576 wrote to memory of 2628	2576	cmd.exe	39
PID 2576 wrote to memory of 2628	2576	cmd.exe	39
PID 2232 wrote to memory of 2512	2232	cmd.exe	40
PID 2232 wrote to memory of 2512	2232	cmd.exe	40
PID 2232 wrote to memory of 2512	2232	cmd.exe	40
PID 2512 wrote to memory of 2524	2512	cmd.exe	41
PID 2512 wrote to memory of 2524	2512	cmd.exe	41
PID 2512 wrote to memory of 2524	2512	cmd.exe	41
PID 2232 wrote to memory of 2532	2232	cmd.exe	42
PID 2232 wrote to memory of 2532	2232	cmd.exe	42
PID 2232 wrote to memory of 2532	2232	cmd.exe	42
PID 2532 wrote to memory of 2544	2532	cmd.exe	43
PID 2532 wrote to memory of 2544	2532	cmd.exe	43
PID 2532 wrote to memory of 2544	2532	cmd.exe	43
PID 2232 wrote to memory of 2556	2232	cmd.exe	44
PID 2232 wrote to memory of 2556	2232	cmd.exe	44
PID 2232 wrote to memory of 2556	2232	cmd.exe	44
PID 2556 wrote to memory of 2584	2556	cmd.exe	45
PID 2556 wrote to memory of 2584	2556	cmd.exe	45
PID 2556 wrote to memory of 2584	2556	cmd.exe	45
PID 2232 wrote to memory of 1588	2232	cmd.exe	46
PID 2232 wrote to memory of 1588	2232	cmd.exe	46
PID 2232 wrote to memory of 1588	2232	cmd.exe	46
PID 2232 wrote to memory of 3016	2232	cmd.exe	49
PID 2232 wrote to memory of 3016	2232	cmd.exe	49
PID 2232 wrote to memory of 3016	2232	cmd.exe	49
PID 2232 wrote to memory of 2400	2232	cmd.exe	50
PID 2232 wrote to memory of 2400	2232	cmd.exe	50
PID 2232 wrote to memory of 2400	2232	cmd.exe	50
PID 2232 wrote to memory of 2500	2232	cmd.exe	51
PID 2232 wrote to memory of 2500	2232	cmd.exe	51
PID 2232 wrote to memory of 2500	2232	cmd.exe	51
PID 2232 wrote to memory of 2800	2232	cmd.exe	52
PID 2232 wrote to memory of 2800	2232	cmd.exe	52
PID 2232 wrote to memory of 2800	2232	cmd.exe	52
PID 2232 wrote to memory of 2384	2232	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Activators\Check-Activation-Status-vbs.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:1752
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /dli
  2⤵
  PID:2696
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /xpr
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2584
- C:\Windows\System32\cscript.exe
  cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\\ospp.vbs" /dstatus
  2⤵
  PID:1588
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:3016
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2500
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2800
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit