Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
03-05-2024 07:56
General
-
Target
Windows_Activator_Tool.bat
-
Size
435KB
-
MD5
153799a818cb95fd5803fead4fbe3e7a
-
SHA1
20c374986e4050265de2914c3993f6b22d6de460
-
SHA256
835b99cbe7d16b1020a2b0fd94c356742528e94d66d445401b7057524c86ba3e
-
SHA512
88af58dad86dd07be1f9fdbf6854f05579f2093360da939f52e8fd4c25f7cbbcdef0f1fe95bcedce00e0c88bf6c0a069f44cdb7be4f0b469ea2722d80e7eaa8c
-
SSDEEP
3072:/xdR3S9mud2TrRMP0u+RciNiYbRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0Y5:xbBHu+R7rLo97bJu9p6zGDNS0KROuCC
Malware Config
Signatures
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Windows_Activator_Tool.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc query Null2⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "Windows_Activator_Tool.bat"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Windows_Activator_Tool.bat" "2⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵
-
-
C:\Windows\System32\fltMC.exefltmc2⤵
-
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit2⤵
- Modifies registry key
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\PING.EXEping -4 -n 1 updatecheck.massgrave.dev3⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "2⤵
-
-
C:\Windows\System32\find.exefind "127.69"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "2⤵
-
-
C:\Windows\System32\find.exefind "127.69.2.5"2⤵
-
-
C:\Windows\System32\findstr.exefindstr /a:CF /f:`.txt "."2⤵
-
-
C:\Windows\System32\findstr.exefindstr /a:0A /f:`.txt "."2⤵
-
-
C:\Windows\System32\choice.exechoice /C:10 /N2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
-
-
-
C:\Windows\System32\mode.commode 76, 302⤵
-
-
C:\Windows\System32\findstr.exefindstr /a:07 /f:`.txt "."2⤵
-
-
C:\Windows\System32\findstr.exefindstr /a:0A /f:`.txt "."2⤵
-
-
C:\Windows\System32\choice.exechoice /C:123456780 /N2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Go back..."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57a87d1fd6053a476054efa3f836e8c62
SHA1f161c19c89074ebbdf56376da3aacd7b234fe01d
SHA256ee7235deda8a17f2def7c5e03f8e330c2b6b4114cfad298c761d0a5363ad9f42
SHA5128196a39a78261b8969469459c4a1d71af658abc7a6df47e3259d348be11f19ec85b31a32457fbe7a951b980e991ef1c55506ee1ae39c0c3933235c75846df16c
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
22B
MD501950d578d2bae1bd8f00614ed09cc93
SHA1391b21607268c53b8276665327c0dee2fffca56d
SHA2562db112c56e1ae46984f47a9ec720211918e5b2f39a184dc39c5cbaa3e861350c
SHA512b6f71ea8f7f7a86cc2c705b19ade68107a4c84b260031cddd8fef1d99cd4a4e1c00953e8e47da0cf206990cf987ab6124c75de7c9221cbf0f69497aebe1b86fd
-
Filesize
50B
MD5b8e3e3d17eceba3eace475f10eef223f
SHA1e188d9295866e55ccea038e2c0c9857cc8e5e676
SHA256923eadd4871d5293c5ac6864a210ac0db3662e357c5301989b795281be9991fa
SHA512c884bdf07ca17dfad561987c0d5581c842a7360a14eace537c6a8fdfeab2c0704a6405ea21486c6fa15d6fe2afd7473584cbe772d00a0ea872522e90fdbc2d1f
-
Filesize
17B
MD5c48de30a6d93de10929a00f17d725a24
SHA1002e95b585f523b9f1dab14bdad2729032b1a81a
SHA25696ba30bf853b79cd26e5399db76def0f6be3c936fc1263232937fbc8a0c8c5b5
SHA5128657c3448c231484a7354b5bbf1cbc0377d0f49841baa67fdb8e6d162274470fa6128160209e9ee2d286172f0156aca0ab9a6440f4d5d69cab56612b4bc53b12
-
Filesize
64B
MD577d46f20e0040efbb88b3546e07ca3bc
SHA1e96b144bd7bc5b26cb9adf58399353223d10f404
SHA2564be35005732a8f6ca965235189ed6934bf6a4e3ba7c4e44f4291ed41752ec34c
SHA5126fcd8a48a149b453459e35337c277ebb87a09bdcb899bdfeadf588ff3729b4f09edbb94213f99fda012f5f96a65cd21ac43de997b0391d6bf93795efe2e9acde
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB