11257ff8e758655e4f14aa8a3ecf311d06b62e88518e6d09ffedafcb5aa9af93

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 20:18

Target

Microsoft-Activation-Scripts-2.1/MAS/Separate-Files-Version/Activators/KMS38_Activation.cmd
Size

54KB
MD5

c7dd86ca65b29d803226e7f2015dfb33
SHA1

b36327ca594af82d4556e79f534ef02c8c2a43f4
SHA256

d34d99de310658b4c6421362bc76e1a90e51e85ea74e186fd5b2e731e1d44536
SHA512

82f4012a0f759d8cdd2ea6463bfdde97ecbd159e0ea09d94e440109f50111dbee4dce6bfc87f6061a7d75f1fd7b7a10d42be76b0ec3fdf9084bedc5007959b93
SSDEEP

1536:xD83yqy0xDKGo6nNm85Yu341Em0Iy+lVTt3rA6s:xY3s/15jvg

Score

4^/10

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2904	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2904	2112	cmd.exe	31
PID 2112 wrote to memory of 2904	2112	cmd.exe	31
PID 2112 wrote to memory of 2904	2112	cmd.exe	31
PID 2112 wrote to memory of 2912	2112	cmd.exe	32
PID 2112 wrote to memory of 2912	2112	cmd.exe	32
PID 2112 wrote to memory of 2912	2112	cmd.exe	32
PID 2112 wrote to memory of 2972	2112	cmd.exe	33
PID 2112 wrote to memory of 2972	2112	cmd.exe	33
PID 2112 wrote to memory of 2972	2112	cmd.exe	33
PID 2112 wrote to memory of 2988	2112	cmd.exe	34
PID 2112 wrote to memory of 2988	2112	cmd.exe	34
PID 2112 wrote to memory of 2988	2112	cmd.exe	34
PID 2112 wrote to memory of 2984	2112	cmd.exe	35
PID 2112 wrote to memory of 2984	2112	cmd.exe	35
PID 2112 wrote to memory of 2984	2112	cmd.exe	35
PID 2112 wrote to memory of 2788	2112	cmd.exe	36
PID 2112 wrote to memory of 2788	2112	cmd.exe	36
PID 2112 wrote to memory of 2788	2112	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-2.1\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2904
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2912
- C:\Windows\System32\findstr.exe
  findstr /v "$" "KMS38_Activation.cmd"
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Exit..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebda177c59442bcff0a13cc957a84a1c

SHA1
b39f3ec43af9543e6b893deef66f06c16bbe850c

SHA256
f6ea8eba177dba36a10be8ab19bf75d57339989ad49439831d82a9d97ac32828

SHA512
46a9fc403ef6ad139b0c6f00c23d9cba03863904d9da4fee97363888c875ae6eac57cf49c5ad874a92b12501338602154f2547a668627dfc1298ab7f96262ae4

Download Submit
memory/2788-18-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2788-19-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2984-4-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp

Filesize
4KB

Download
memory/2984-6-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-8-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-9-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-7-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2984-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-12-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download