6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAS_AIO-CRC32_8B16F764.cmd
Size

438KB
MD5

85d6b9f9cffa62fd7eb22954568a7d9a
SHA1

8c871d7aae9430ae72aa091988e622f14dc31d59
SHA256

6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729
SHA512

30cf6abff4fe1218967d99dd2828698ebf93ed8a9c5d94c601cfb08b3ec20fdabc34b657e4d1ac2570d75247927b886905410b927167f7ac91483a2a8a2684a8
SSDEEP

3072:ZddR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:XAnHu+R7VLo97bJu9p6zGDNS0KgOuCV

Score

4^/10

Malware Config

Signatures

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2780	sc.exe
3640	sc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1948	reg.exe
4488	reg.exe
1704	reg.exe
1340	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4400	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2780	3696	cmd.exe	82
PID 3696 wrote to memory of 2780	3696	cmd.exe	82
PID 3696 wrote to memory of 4812	3696	cmd.exe	83
PID 3696 wrote to memory of 4812	3696	cmd.exe	83
PID 3696 wrote to memory of 4600	3696	cmd.exe	84
PID 3696 wrote to memory of 4600	3696	cmd.exe	84
PID 3696 wrote to memory of 3728	3696	cmd.exe	85
PID 3696 wrote to memory of 3728	3696	cmd.exe	85
PID 3696 wrote to memory of 3608	3696	cmd.exe	86
PID 3696 wrote to memory of 3608	3696	cmd.exe	86
PID 3696 wrote to memory of 2740	3696	cmd.exe	87
PID 3696 wrote to memory of 2740	3696	cmd.exe	87
PID 3696 wrote to memory of 1372	3696	cmd.exe	88
PID 3696 wrote to memory of 1372	3696	cmd.exe	88
PID 1372 wrote to memory of 2168	1372	cmd.exe	89
PID 1372 wrote to memory of 2168	1372	cmd.exe	89
PID 1372 wrote to memory of 2044	1372	cmd.exe	90
PID 1372 wrote to memory of 2044	1372	cmd.exe	90
PID 3696 wrote to memory of 3128	3696	cmd.exe	91
PID 3696 wrote to memory of 3128	3696	cmd.exe	91
PID 3696 wrote to memory of 1632	3696	cmd.exe	92
PID 3696 wrote to memory of 1632	3696	cmd.exe	92
PID 3696 wrote to memory of 2052	3696	cmd.exe	93
PID 3696 wrote to memory of 2052	3696	cmd.exe	93
PID 3696 wrote to memory of 1948	3696	cmd.exe	94
PID 3696 wrote to memory of 1948	3696	cmd.exe	94
PID 3696 wrote to memory of 4592	3696	cmd.exe	95
PID 3696 wrote to memory of 4592	3696	cmd.exe	95
PID 3696 wrote to memory of 4488	3696	cmd.exe	96
PID 3696 wrote to memory of 4488	3696	cmd.exe	96
PID 3696 wrote to memory of 632	3696	cmd.exe	97
PID 3696 wrote to memory of 632	3696	cmd.exe	97
PID 632 wrote to memory of 1704	632	cmd.exe	100
PID 632 wrote to memory of 1704	632	cmd.exe	100
PID 632 wrote to memory of 3640	632	cmd.exe	101
PID 632 wrote to memory of 3640	632	cmd.exe	101
PID 632 wrote to memory of 3952	632	cmd.exe	102
PID 632 wrote to memory of 3952	632	cmd.exe	102
PID 632 wrote to memory of 3944	632	cmd.exe	103
PID 632 wrote to memory of 3944	632	cmd.exe	103
PID 632 wrote to memory of 3412	632	cmd.exe	105
PID 632 wrote to memory of 3412	632	cmd.exe	105
PID 632 wrote to memory of 4620	632	cmd.exe	106
PID 632 wrote to memory of 4620	632	cmd.exe	106
PID 632 wrote to memory of 3208	632	cmd.exe	107
PID 632 wrote to memory of 3208	632	cmd.exe	107
PID 632 wrote to memory of 3416	632	cmd.exe	109
PID 632 wrote to memory of 3416	632	cmd.exe	109
PID 632 wrote to memory of 780	632	cmd.exe	110
PID 632 wrote to memory of 780	632	cmd.exe	110
PID 632 wrote to memory of 4768	632	cmd.exe	112
PID 632 wrote to memory of 4768	632	cmd.exe	112
PID 4768 wrote to memory of 1748	4768	cmd.exe	113
PID 4768 wrote to memory of 1748	4768	cmd.exe	113
PID 4768 wrote to memory of 768	4768	cmd.exe	114
PID 4768 wrote to memory of 768	4768	cmd.exe	114
PID 632 wrote to memory of 4372	632	cmd.exe	115
PID 632 wrote to memory of 4372	632	cmd.exe	115
PID 632 wrote to memory of 868	632	cmd.exe	116
PID 632 wrote to memory of 868	632	cmd.exe	116
PID 632 wrote to memory of 1672	632	cmd.exe	117
PID 632 wrote to memory of 1672	632	cmd.exe	117
PID 632 wrote to memory of 1340	632	cmd.exe	118
PID 632 wrote to memory of 1340	632	cmd.exe	118

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:4812
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_8B16F764.cmd"
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3728
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3608
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:2168
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd" "
  2⤵
  PID:3128
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:1632
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2052
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  - Modifies registry key
  PID:1948
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4592
- C:\Windows\System32\reg.exe
  reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
  2⤵
  - Modifies registry key
  PID:4488
- C:\Windows\System32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd" -qedit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
    3⤵
    - Modifies registry key
    PID:1704
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:3640
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:3952
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_AIO-CRC32_8B16F764.cmd"
    3⤵
    PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:3412
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3208
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3416
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:1748
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd" "
    3⤵
    PID:4372
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:868
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:1672
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:1340
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    PID:844
  - - C:\Windows\System32\PING.EXE
      ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      Runs ping.exe
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:3680
- - C:\Windows\System32\find.exe
    find "127.69"
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
    3⤵
    PID:1392
- - C:\Windows\System32\find.exe
    find "127.69.2.6"
    3⤵
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:2784
- - C:\Windows\System32\find.exe
    find /i "/S"
    3⤵
    PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
    3⤵
    PID:4260
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2696
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:3488
- - C:\Windows\System32\mode.com
    mode 76, 30
    3⤵
    PID:1096
- - C:\Windows\System32\choice.exe
    choice /C:123456780 /N
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...