533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0

Resubmissions

24/06/2024, 11:07

240624-m7yelayeqa 7

24/06/2024, 11:04

240624-m6b5zasdpm 7

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAS_AIO-CRC32_31F7FD1E.cmd
Size

438KB
MD5

88d518ea04598e056440635851ba61db
SHA1

22c62949a561e0172a8c1a870862cd7b64d09738
SHA256

533e16e27044e4b3373290f23ffac3863481747bca5ae9de31c3b84396dee4e0
SHA512

45af822ee9565a9962e6bcbfce93c31f15eaa39bad3bc6a97791366ec9547011c2ff933411d8b883ef54367dcc3588a1a737d63f1a528dedc1cdc98ab4aedecf
SSDEEP

3072:M/dR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:KAnHu+R7VLo97bJu9p6zGDNS0KgOuCV

Score

4^/10

Malware Config

Signatures

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3016	sc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2620	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2612	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2988	powershell.exe
320	powershell.exe
1852	powershell.exe
1244	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3016	2996	cmd.exe	29
PID 2996 wrote to memory of 3016	2996	cmd.exe	29
PID 2996 wrote to memory of 3016	2996	cmd.exe	29
PID 2996 wrote to memory of 2504	2996	cmd.exe	30
PID 2996 wrote to memory of 2504	2996	cmd.exe	30
PID 2996 wrote to memory of 2504	2996	cmd.exe	30
PID 2996 wrote to memory of 1720	2996	cmd.exe	31
PID 2996 wrote to memory of 1720	2996	cmd.exe	31
PID 2996 wrote to memory of 1720	2996	cmd.exe	31
PID 2996 wrote to memory of 3028	2996	cmd.exe	32
PID 2996 wrote to memory of 3028	2996	cmd.exe	32
PID 2996 wrote to memory of 3028	2996	cmd.exe	32
PID 2996 wrote to memory of 2188	2996	cmd.exe	33
PID 2996 wrote to memory of 2188	2996	cmd.exe	33
PID 2996 wrote to memory of 2188	2996	cmd.exe	33
PID 2996 wrote to memory of 2552	2996	cmd.exe	34
PID 2996 wrote to memory of 2552	2996	cmd.exe	34
PID 2996 wrote to memory of 2552	2996	cmd.exe	34
PID 2996 wrote to memory of 2556	2996	cmd.exe	35
PID 2996 wrote to memory of 2556	2996	cmd.exe	35
PID 2996 wrote to memory of 2556	2996	cmd.exe	35
PID 2996 wrote to memory of 2616	2996	cmd.exe	36
PID 2996 wrote to memory of 2616	2996	cmd.exe	36
PID 2996 wrote to memory of 2616	2996	cmd.exe	36
PID 2996 wrote to memory of 2620	2996	cmd.exe	37
PID 2996 wrote to memory of 2620	2996	cmd.exe	37
PID 2996 wrote to memory of 2620	2996	cmd.exe	37
PID 2996 wrote to memory of 2640	2996	cmd.exe	38
PID 2996 wrote to memory of 2640	2996	cmd.exe	38
PID 2996 wrote to memory of 2640	2996	cmd.exe	38
PID 2996 wrote to memory of 2684	2996	cmd.exe	39
PID 2996 wrote to memory of 2684	2996	cmd.exe	39
PID 2996 wrote to memory of 2684	2996	cmd.exe	39
PID 2684 wrote to memory of 2612	2684	cmd.exe	40
PID 2684 wrote to memory of 2612	2684	cmd.exe	40
PID 2684 wrote to memory of 2612	2684	cmd.exe	40
PID 2996 wrote to memory of 2872	2996	cmd.exe	41
PID 2996 wrote to memory of 2872	2996	cmd.exe	41
PID 2996 wrote to memory of 2872	2996	cmd.exe	41
PID 2996 wrote to memory of 2420	2996	cmd.exe	42
PID 2996 wrote to memory of 2420	2996	cmd.exe	42
PID 2996 wrote to memory of 2420	2996	cmd.exe	42
PID 2996 wrote to memory of 2192	2996	cmd.exe	43
PID 2996 wrote to memory of 2192	2996	cmd.exe	43
PID 2996 wrote to memory of 2192	2996	cmd.exe	43
PID 2996 wrote to memory of 2524	2996	cmd.exe	44
PID 2996 wrote to memory of 2524	2996	cmd.exe	44
PID 2996 wrote to memory of 2524	2996	cmd.exe	44
PID 2996 wrote to memory of 2700	2996	cmd.exe	45
PID 2996 wrote to memory of 2700	2996	cmd.exe	45
PID 2996 wrote to memory of 2700	2996	cmd.exe	45
PID 2700 wrote to memory of 2676	2700	cmd.exe	46
PID 2700 wrote to memory of 2676	2700	cmd.exe	46
PID 2700 wrote to memory of 2676	2700	cmd.exe	46
PID 2996 wrote to memory of 2448	2996	cmd.exe	47
PID 2996 wrote to memory of 2448	2996	cmd.exe	47
PID 2996 wrote to memory of 2448	2996	cmd.exe	47
PID 2996 wrote to memory of 2856	2996	cmd.exe	48
PID 2996 wrote to memory of 2856	2996	cmd.exe	48
PID 2996 wrote to memory of 2856	2996	cmd.exe	48
PID 2996 wrote to memory of 1968	2996	cmd.exe	49
PID 2996 wrote to memory of 1968	2996	cmd.exe	49
PID 2996 wrote to memory of 1968	2996	cmd.exe	49
PID 2996 wrote to memory of 2488	2996	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:3016
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2504
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_31F7FD1E.cmd"
  2⤵
  PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_31F7FD1E.cmd" "
  2⤵
  PID:2552
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2556
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2616
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  - Modifies registry key
  PID:2620
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\PING.EXE
    ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    - Runs ping.exe
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
  2⤵
  PID:2872
- C:\Windows\System32\find.exe
  find "127.69"
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
  2⤵
  PID:2192
- C:\Windows\System32\find.exe
  find "127.69.2.6"
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2676
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:2448
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2856
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1968
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Go back..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:2784
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2804
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2740
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Go back..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:564
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:1176
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1092
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5919669a2ac4fefc1dd442ca98298d6

SHA1
24e7eef7d28849c417039a33022deeee27239c84

SHA256
1af030c893f632f4e3fd882fb708b8d42bf18d4f159bb2550de654e112bcb42b

SHA512
c7e7b681cd44b492b0891455b24b6a29f0dad0faf50b52a68b5570bfb20049263b5848ed7fef8c59684449931381932920fc18fb235e0854355f88d5d243f46a

Download Submit
C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt

Filesize
17B

MD5
c48de30a6d93de10929a00f17d725a24

SHA1
002e95b585f523b9f1dab14bdad2729032b1a81a

SHA256
96ba30bf853b79cd26e5399db76def0f6be3c936fc1263232937fbc8a0c8c5b5

SHA512
8657c3448c231484a7354b5bbf1cbc0377d0f49841baa67fdb8e6d162274470fa6128160209e9ee2d286172f0156aca0ab9a6440f4d5d69cab56612b4bc53b12

Download Submit
C:\Windows\Temp\`.txt

Filesize
64B

MD5
77d46f20e0040efbb88b3546e07ca3bc

SHA1
e96b144bd7bc5b26cb9adf58399353223d10f404

SHA256
4be35005732a8f6ca965235189ed6934bf6a4e3ba7c4e44f4291ed41752ec34c

SHA512
6fcd8a48a149b453459e35337c277ebb87a09bdcb899bdfeadf588ff3729b4f09edbb94213f99fda012f5f96a65cd21ac43de997b0391d6bf93795efe2e9acde

Download Submit
memory/320-17-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/320-18-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2988-10-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-11-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download