00a99203103cd7e8bbe31a00141b2d487d7834492f62a26f0242d0f153e167d5

Analysis

max time kernel
1585s
max time network
1587s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
09/03/2024, 15:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Pida Software Microsoft Original/ActivadorWindows/KMS_VL_ALL-44/AutoRenewal-Setup.cmd
Size

17KB
MD5

b9590b32f11fa467938518bad08b66f0
SHA1

6a3c0317ea5507277e9d647356f035d666bece37
SHA256

4b7e16ba61987144e3d7b70d26a0d11a8238182b57ef894b57da974a2e8f3b32
SHA512

1f844c68c629366a1846354ace946f980822d603fc95ca99842d9c15991fd0e6d7462f1c42bc0383fdd5e01e13096c4540c379e9c2179ddaf4ada26fe699a063
SSDEEP

192:DLQ2a8/OdklwOoPG8JEjMoRqrEVR+tqPHzH39G1n95g8GzUrb2IWtVOJsSCBsSUS:DXO7Jl079G1n9ZGQXEVOJsSEsSUr2

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4320	sc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2736	4044	cmd.exe	74
PID 4044 wrote to memory of 2736	4044	cmd.exe	74
PID 4044 wrote to memory of 4212	4044	cmd.exe	75
PID 4044 wrote to memory of 4212	4044	cmd.exe	75
PID 4044 wrote to memory of 4612	4044	cmd.exe	76
PID 4044 wrote to memory of 4612	4044	cmd.exe	76
PID 4044 wrote to memory of 4924	4044	cmd.exe	77
PID 4044 wrote to memory of 4924	4044	cmd.exe	77
PID 4924 wrote to memory of 1848	4924	cmd.exe	78
PID 4924 wrote to memory of 1848	4924	cmd.exe	78
PID 4044 wrote to memory of 3468	4044	cmd.exe	79
PID 4044 wrote to memory of 3468	4044	cmd.exe	79
PID 4044 wrote to memory of 2688	4044	cmd.exe	80
PID 4044 wrote to memory of 2688	4044	cmd.exe	80
PID 4044 wrote to memory of 4320	4044	cmd.exe	81
PID 4044 wrote to memory of 4320	4044	cmd.exe	81
PID 4044 wrote to memory of 4584	4044	cmd.exe	82
PID 4044 wrote to memory of 4584	4044	cmd.exe	82
PID 4044 wrote to memory of 3656	4044	cmd.exe	83
PID 4044 wrote to memory of 3656	4044	cmd.exe	83
PID 4044 wrote to memory of 4700	4044	cmd.exe	84
PID 4044 wrote to memory of 4700	4044	cmd.exe	84
PID 4044 wrote to memory of 3984	4044	cmd.exe	85
PID 4044 wrote to memory of 3984	4044	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Pida Software Microsoft Original\ActivadorWindows\KMS_VL_ALL-44\AutoRenewal-Setup.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\cmd.exe
  cmd /v:on /c echo(^!param^!
  2⤵
  PID:2736
- C:\Windows\System32\findstr.exe
  findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
  2⤵
  PID:4212
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:2688
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:4320
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:4584
- C:\Windows\System32\mode.com
  mode con cols=100 lines=28
  2⤵
  PID:3656
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /v VerifierFlags
  2⤵
  PID:4700
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags
  2⤵
  PID:3984

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads