6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2023, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Separate-Files-Version/Activators/Check-Activation-Status-vbs.cmd
Size

6KB
MD5

b568aff717984da1f7c8b9cf522fb1e8
SHA1

c00cd43aa95e8221b8ee6a9e758eb7b128139997
SHA256

77ba40dcde775f0a7fb46182296a5b8f5f1150ed81d0759561f2100727344bc8
SHA512

a5648a0af05acc36601208c97f572e09a74065a7b4f2e1d4c333da842c3aa46917e03e464422fa7f4134b90937048380c2699eaddf39f71fe2c9092c2d08c248
SSDEEP

192:BDO0diZIZazZ9VZ5jZfuZcQZ0pZfSy9C/sC/QiO4TEoz6t9+r4:BO0d+IZad3Z5tficE0rfSyo/h/QiO4Ti

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
544	reg.exe
4924	reg.exe
4256	reg.exe
3400	reg.exe
1720	reg.exe
2316	reg.exe
716	reg.exe
4300	reg.exe
1004	reg.exe
3976	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1232	2396	cmd.exe	84
PID 2396 wrote to memory of 1232	2396	cmd.exe	84
PID 1232 wrote to memory of 3888	1232	net.exe	85
PID 1232 wrote to memory of 3888	1232	net.exe	85
PID 2396 wrote to memory of 1956	2396	cmd.exe	86
PID 2396 wrote to memory of 1956	2396	cmd.exe	86
PID 2396 wrote to memory of 3168	2396	cmd.exe	91
PID 2396 wrote to memory of 3168	2396	cmd.exe	91
PID 2396 wrote to memory of 3272	2396	cmd.exe	92
PID 2396 wrote to memory of 3272	2396	cmd.exe	92
PID 3272 wrote to memory of 544	3272	cmd.exe	93
PID 3272 wrote to memory of 544	3272	cmd.exe	93
PID 2396 wrote to memory of 2700	2396	cmd.exe	94
PID 2396 wrote to memory of 2700	2396	cmd.exe	94
PID 2700 wrote to memory of 2316	2700	cmd.exe	95
PID 2700 wrote to memory of 2316	2700	cmd.exe	95
PID 2396 wrote to memory of 1696	2396	cmd.exe	96
PID 2396 wrote to memory of 1696	2396	cmd.exe	96
PID 1696 wrote to memory of 4924	1696	cmd.exe	97
PID 1696 wrote to memory of 4924	1696	cmd.exe	97
PID 2396 wrote to memory of 3196	2396	cmd.exe	98
PID 2396 wrote to memory of 3196	2396	cmd.exe	98
PID 3196 wrote to memory of 716	3196	cmd.exe	99
PID 3196 wrote to memory of 716	3196	cmd.exe	99
PID 2396 wrote to memory of 2788	2396	cmd.exe	100
PID 2396 wrote to memory of 2788	2396	cmd.exe	100
PID 2788 wrote to memory of 4256	2788	cmd.exe	101
PID 2788 wrote to memory of 4256	2788	cmd.exe	101
PID 2396 wrote to memory of 1500	2396	cmd.exe	102
PID 2396 wrote to memory of 1500	2396	cmd.exe	102
PID 1500 wrote to memory of 4300	1500	cmd.exe	103
PID 1500 wrote to memory of 4300	1500	cmd.exe	103
PID 2396 wrote to memory of 1004	2396	cmd.exe	104
PID 2396 wrote to memory of 1004	2396	cmd.exe	104
PID 2396 wrote to memory of 4476	2396	cmd.exe	105
PID 2396 wrote to memory of 4476	2396	cmd.exe	105
PID 4476 wrote to memory of 3400	4476	cmd.exe	106
PID 4476 wrote to memory of 3400	4476	cmd.exe	106
PID 2396 wrote to memory of 1576	2396	cmd.exe	107
PID 2396 wrote to memory of 1576	2396	cmd.exe	107
PID 2396 wrote to memory of 4044	2396	cmd.exe	111
PID 2396 wrote to memory of 4044	2396	cmd.exe	111
PID 4044 wrote to memory of 3976	4044	cmd.exe	112
PID 4044 wrote to memory of 3976	4044	cmd.exe	112
PID 2396 wrote to memory of 1720	2396	cmd.exe	113
PID 2396 wrote to memory of 1720	2396	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Activators\Check-Activation-Status-vbs.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:3888
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /dli
  2⤵
  PID:1956
- C:\Windows\System32\cscript.exe
  cscript //nologo slmgr.vbs /xpr
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4300
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:3400
- C:\Windows\System32\cscript.exe
  cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:3976
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit