1e8c6814c4393f9e8a5360a3b4350fc8001b3b88888f2f44145799ad0aebe317

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

activate_windows.cmd
Size

338KB
MD5

9f16e67331b23e172c286174b0ab627e
SHA1

01149b72be3fd15cb9bdd0a6530715a08f0d2172
SHA256

4225a09ba8abc13f9073ccbb9d8e60c469526d62332eff5e1abe95eb1a9c4386
SHA512

b2630bf59e16b8fa4f0b31635fbf34770035b749a07d19a6456bfb51e2db293c219af6ed12e590685509d44cab8a6d781421b0740d408102ad22ce9c914e97b3
SSDEEP

3072:c3BTxa/P13savRbguAMTVFp6zGDNSOE2K5zxMt7EOGJGiA7GU:c9xaVfbgu9p6zGDNSoKZxMF7D

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2864	2956	cmd.exe	29
PID 2956 wrote to memory of 2864	2956	cmd.exe	29
PID 2956 wrote to memory of 2864	2956	cmd.exe	29
PID 2956 wrote to memory of 2896	2956	cmd.exe	30
PID 2956 wrote to memory of 2896	2956	cmd.exe	30
PID 2956 wrote to memory of 2896	2956	cmd.exe	30
PID 2956 wrote to memory of 2908	2956	cmd.exe	31
PID 2956 wrote to memory of 2908	2956	cmd.exe	31
PID 2956 wrote to memory of 2908	2956	cmd.exe	31
PID 2956 wrote to memory of 3004	2956	cmd.exe	32
PID 2956 wrote to memory of 3004	2956	cmd.exe	32
PID 2956 wrote to memory of 3004	2956	cmd.exe	32
PID 2956 wrote to memory of 3000	2956	cmd.exe	33
PID 2956 wrote to memory of 3000	2956	cmd.exe	33
PID 2956 wrote to memory of 3000	2956	cmd.exe	33
PID 2956 wrote to memory of 3016	2956	cmd.exe	34
PID 2956 wrote to memory of 3016	2956	cmd.exe	34
PID 2956 wrote to memory of 3016	2956	cmd.exe	34
PID 2956 wrote to memory of 2828	2956	cmd.exe	35
PID 2956 wrote to memory of 2828	2956	cmd.exe	35
PID 2956 wrote to memory of 2828	2956	cmd.exe	35
PID 2828 wrote to memory of 2544	2828	cmd.exe	36
PID 2828 wrote to memory of 2544	2828	cmd.exe	36
PID 2828 wrote to memory of 2544	2828	cmd.exe	36
PID 2956 wrote to memory of 2852	2956	cmd.exe	37
PID 2956 wrote to memory of 2852	2956	cmd.exe	37
PID 2956 wrote to memory of 2852	2956	cmd.exe	37
PID 2956 wrote to memory of 2964	2956	cmd.exe	38
PID 2956 wrote to memory of 2964	2956	cmd.exe	38
PID 2956 wrote to memory of 2964	2956	cmd.exe	38
PID 2956 wrote to memory of 1884	2956	cmd.exe	39
PID 2956 wrote to memory of 1884	2956	cmd.exe	39
PID 2956 wrote to memory of 1884	2956	cmd.exe	39
PID 2956 wrote to memory of 2512	2956	cmd.exe	40
PID 2956 wrote to memory of 2512	2956	cmd.exe	40
PID 2956 wrote to memory of 2512	2956	cmd.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\activate_windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "activate_windows.cmd"
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\activate_windows.cmd" "
  2⤵
  PID:3004
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:3000
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2544
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:2852
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2964
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1884
- C:\Windows\System32\choice.exe
  choice /C:12345670 /N
  2⤵
  PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt

Filesize
17B

MD5
c48de30a6d93de10929a00f17d725a24

SHA1
002e95b585f523b9f1dab14bdad2729032b1a81a

SHA256
96ba30bf853b79cd26e5399db76def0f6be3c936fc1263232937fbc8a0c8c5b5

SHA512
8657c3448c231484a7354b5bbf1cbc0377d0f49841baa67fdb8e6d162274470fa6128160209e9ee2d286172f0156aca0ab9a6440f4d5d69cab56612b4bc53b12

Download Submit
C:\Windows\Temp\`.txt

Filesize
62B

MD5
2c7b6b4fb83355d67c687bbe9b3005b8

SHA1
9af58ce89b34bb1de7dd47099360189c1de72e32

SHA256
eacf27ffb228c9b4c478b41d667c3727d9175c7a1c14ca1e508e3d885a452cc2

SHA512
494091f510411e51e50775809923ed62e19b19389c6b148c9776c8a69a611436a357bfe8ce4da5b660feb6a2338c180d9515706a9738245bd2301ded87108ba9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads