Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21/11/2024, 08:52
General
-
Target
IAS.cmd
-
Size
31KB
-
MD5
e2e2b6fb84ed23b2950f26939c36fdf5
-
SHA1
7988b5c71397db6fc4a611a54f7d5622eef73f40
-
SHA256
e06c490758709eff468df8f8afda86b8411758fd93ee16e14e6153de5ee933e2
-
SHA512
70a14feca5efc2e699ab9f190fd508cf5aab0daa5c8447ac06f7da0b1cb32bd1781b5fa91440483b2fb4eac10ebd611b28e582ee364d2681bb131eee1fb9aeaf
-
SSDEEP
384:mNnhCo3piIUTUq5rrQmJbnl7+qK14TEJYab:mNn/ZiBAq5rrQmFl7G4gJYab
Score
6/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\IAS.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc query Null2⤵
- Launches sc.exe
-
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "IAS.cmd"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\IAS.cmd" "2⤵
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\IAS.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"2⤵
-
-
C:\Windows\System32\fltMC.exefltmc2⤵
-
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit2⤵
- Modifies registry key
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\PING.EXEping -4 -n 1 iasupdatecheck.massgrave.dev3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\find.exefind /i "computersystem"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\reg.exereg query HKU\\Software2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software2⤵
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\IAS_TEST /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\IAS_TEST2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\IAS_TEST2⤵
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\IAS_TEST /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE2⤵
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\DownloadManager" /v ExePath 2>nul2⤵
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\DownloadManager" /v ExePath3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST2⤵
- Modifies registry class
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST2⤵
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f2⤵
- Modifies registry class
-
-
C:\Windows\System32\mode.commode 75, 282⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵
-
-
C:\Windows\System32\mode.commode 113, 352⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Its recommended to use Freeze Trial option instead."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\choice.exechoice /C:19 /N /M "> [1] Go Back [9] Activate : "2⤵
-
-
C:\Windows\System32\mode.commode 75, 282⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵
-
-
C:\Windows\System32\mode.commode 113, 352⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Red"' -fore '"white"' '"IDM [Internet Download Manager] is not Installed."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\mode.commode 75, 282⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57f25dd09a9a9eaf40f21f59d1c788acb
SHA1d377847de8ec1be2d7c50e434630f1f4f35d9af0
SHA2566164796cd789b35158f0d6b5c7d44707870caff8d764dc0825ecd7688060070c
SHA512808f1528bacdac3d092ba02c8bb7e81f555fe6807cdc53bbee58505ae89f0b6c7317e8d338a8a0c6f8ca9dae1ac66a460865e24797ce8ce1b76891e9e6f96c8f
-
Filesize
7KB
MD5593b2196ceaeba8d7c25f6adcb60d326
SHA1aa557e348dd415d5eb09562ff0294457f1dcc325
SHA256863f2888c6bead6ac629295683acdf034eff59c16d954ae8740af34e704db7de
SHA51255f9c1b1c7f7a5f11e06427af96497b6d468ba812923cb87c43aa0a460fabc314fb443005b5f5a89a1843603fe9b75b1357a48bd5f848e6746d7918705e1e635
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
412KB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB