Overview

overview

1

Static

static

1

Activation.cmd

windows10-2004-x64

1

Analysis

  • max time kernel
    557s
  • max time network
    475s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 20:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Activation.cmd

  • Size

    22KB

  • MD5

    0956bff498b95698c5c5832929450c52

  • SHA1

    011d7ed5662e9f83b7634e37c343760a8e681946

  • SHA256

    39d8e8864bffd66e9dfb9dbde800bab761bba47c7c7007d50a7b37d80d5cd58d

  • SHA512

    e34555cb3de22d05a5d8e7dfcbc7e1eda2e6e2a0e5ec4ad22911d2557f68ae29f31cde834d09deb41c756c1de7103d638bdb194b2e23891d2a77d6f3fa66fb0f

  • SSDEEP

    384:E3739dR2Mv3+CpahCTu7bPUH3gPZ5SAJs:ELrR2Mv3+CpahC6nMH3gP63

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activation.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      2⤵
        PID:3604
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
          3⤵
            PID:5108
          • C:\Windows\System32\cmd.exe
            cmd
            3⤵
              PID:1956
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Windows\System32\reg.exe
              reg query "HKCU\Software\DownloadManager" /v ExePath
              3⤵
                PID:3372
            • C:\Windows\System32\reg.exe
              reg query HKU\S-1-5-19
              2⤵
                PID:1892
              • C:\Windows\System32\reg.exe
                reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
                2⤵
                • Checks processor information in registry
                PID:4044
              • C:\Windows\System32\find.exe
                find /i "x86"
                2⤵
                  PID:4964
                • C:\Windows\System32\mode.com
                  mode 90, 30
                  2⤵
                    PID:3884
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4984
                    • C:\Windows\System32\reg.exe
                      reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall
                      3⤵
                      • Modifies registry key
                      PID:640
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3064
                    • C:\Windows\System32\reg.exe
                      reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall
                      3⤵
                      • Modifies registry key
                      PID:716
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2724
                    • C:\Windows\System32\reg.exe
                      reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall
                      3⤵
                      • Modifies registry key
                      PID:2828
                  • C:\Windows\System32\choice.exe
                    choice /C:123456 /N
                    2⤵
                      PID:4268
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                    1⤵
                      PID:4508
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:928

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
                            Filesize

                            16KB

                            MD5

                            adaaa1cc681d9b6bff1c5f70c9ca5f44

                            SHA1

                            cf7ff8bd1690a88a5daf2b45bc6ff9691e4268fb

                            SHA256

                            8367d5a6b8fb77b3cea62e6d29bab649ffc26e2be7b4b016afa38dc58e95d2e5

                            SHA512

                            8ba5509876ff1b9b7a8a719bca9a22c2909d0a9a10c93540d4bc5bb92826f06b9f81e6ead6f16185e29c2ceb975d6dc81f4a35262ed156791873da4a24644930

                            Download Submit

                          • memory/928-40-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-42-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-33-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-34-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-35-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-36-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-37-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-38-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-39-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-43-0x0000021B6D770000-0x0000021B6D771000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-32-0x0000021B6DB20000-0x0000021B6DB21000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-41-0x0000021B6DB50000-0x0000021B6DB51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-0-0x0000021B65440000-0x0000021B65450000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/928-44-0x0000021B6D760000-0x0000021B6D761000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-46-0x0000021B6D770000-0x0000021B6D771000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-49-0x0000021B6D760000-0x0000021B6D761000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-52-0x0000021B6D6A0000-0x0000021B6D6A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-16-0x0000021B65540000-0x0000021B65550000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/928-64-0x0000021B6D8A0000-0x0000021B6D8A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-66-0x0000021B6D8B0000-0x0000021B6D8B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-67-0x0000021B6D8B0000-0x0000021B6D8B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/928-68-0x0000021B6D9C0000-0x0000021B6D9C1000-memory.dmp

                            Filesize

                            4KB

                            Download