MAS_1.5_AIO_CRC32_21D20776 {CracksHash}.cmd
This report is generated from a file or URL submitted to this webservice on January 11th 2022 16:46:44 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.50.3 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/57 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistence
-
Found an indicator for a scheduled task trigger
- details
-
"line_KMS_Activation_Script-Run_Once</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowS" (Indicator: "LogonTrigger"; File: "73adfd819e6072ab5ed33c52d5578f73b12945a37c733f7fdcc6e50856329d87.cmd.bin") - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1053 (Show technique in the MITRE ATT&CK™ matrix)
-
Found an indicator for a scheduled task trigger
-
System Security
-
References security related windows services
- details
-
"[Not connected]"
)
)
::========================================================================================================================================
echo:
set "_serv=ClipSVC wlidsvc sppsvc LicenseManager Winmgmt wuauserv"
:: Client License Service (ClipSVC)
:: Microsoft Account Sign-in Assistant
:: Software Protection
:: Windows License Manager Service
:: Windows Management Instrumentation
:: Windows Update
echo Checking Services [%_serv%]
:: Check disabled services
set serv_ste=
for %%# in (%_serv%) do (
set serv_dis=
reg query HKLM\SYSTEM\CurrentControlSet\Services\%%# /v Start %nul% || set serv_dis=1
for /f "skip=2 tokens=2*" %%a in ('reg query HKLM\SYSTEM\CurrentControlSet\Services\%%# /v Start 2^>nul') do if /i %%b equ 0x4 set serv_dis=1
if defined serv_dis (if defined serv_ste (set "serv_ste=!serv_ste! %%#") else (set "serv_ste=%%#"))
)
:: Change disabled services startup type to auto
set serv_csts=
set serv_cste=
if def" (Indicator: "wuauserv"), "[Successful]
) else (
call :dk_color %Red% "Starting Services [Failed] [%serv_e%]"
echo %serv_e% | find /i "wuauserv" %nul% && (
call :dk_color %Magenta% "Windows Update Service [wuauserv] is not working, check if you have blocked it"
)
)
if not defined applist (
call :dk_color %Red% "Checking WMI Query [Failed]"
) else (
echo Checking WMI Query [Successful]
)
::========================================================================================================================================
:: Install key
echo:
if defined changekey call :dk_color %Magenta% "Windows 10 Iot Enterprise LTSC 2021 Product Key Is Selected For HWID Activation"&echo:
set _partial=
if defined key set _ipartial=%key:~-5%
if %winbuild% LSS 22483 for /f "tokens=2 delims==" %%# in ('wmic path %slp% where "ApplicationID='%wApp%' and PartialProductKey<>null" Get PartialProductKey /value 2^>nul') do set "_partial=%%#"
if %winbuild% GEQ 22483" (Indicator: "wuauserv") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1574.010 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Suspicious Indicators 3
-
Environment Awareness
-
Found a reference to a WMI query string known to be used for VM detection
- details
-
"RORCODE% NEQ 0 (
call :_color %_Red% "Product Activation Failed: 0x!=ExitCode!"
) else (
call :_color %_Red% "Product Activation Failed"
)
echo Remaining Period: %gpr2% days ^(%gpr% minutes^)
set S_OK=0
set act_failed=1
set /a act_attempt=0
exit /b
:StopService
sc query %1 | find /i "STOPPED" %_Nul1% || net stop %1 /y %_Nul3%
sc query %1 | find /i "STOPPED" %_Nul1% || sc stop %1 %_Nul3%
goto :eof
:UpdateOSPPEntry
if /i %1 EQU osppsvc.exe (
reg add "HKLM\%OPPk%" /f /v KeyManagementServiceName /t REG_SZ /d "!KMS_IP!" %_Nul3%
reg add "HKLM\%OPPk%" /f /v KeyManagementServicePort /t REG_SZ /d "%KMS_Port%" %_Nul3%
)
goto :eof
:CheckFR
set E_WMI=0
for /f "skip=2 tokens=2*" %%a in ('reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start %_Nul6%') do if /i %%b equ 0x4 set E_WMI=1
set "_qr=%_zz1% Win32_ComputerSystem %_zz3% CreationClassName %_zz4%"
%_qr% %_Nul2% | find /i "computersystem" %_Nul1%
if %errorlevel% NEQ 0 set E_WMI=1
set "_qr=%_zz1% SoftwareLicensingService %_z" (Indicator: "win32_computersystem"; File: "73adfd819e6072ab5ed33c52d5578f73b12945a37c733f7fdcc6e50856329d87.cmd.bin") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a reference to a WMI query string known to be used for VM detection
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"07.com kms.moey%-%uuko.com kms.lol%-%i.best kms.zhuxi%-%aole.org kms.ca%-%tqu.com"
set "srvlist=%srvlist% kms.lol%-%i.beer kms.ca%-%ry.tech kms.wx%-%lost.com kms.moeyu%-%uko.top kms.ghp%-%ym.com"
set n=1
for %%a in (%srvlist%) do (set %%a=&set server!n!=%%a&set /a n+=1)
set max_servers=15
set /a server_num=0
exit /b
:getserv
if %server_num% equ %max_servers% set /a server_num+=1&set KMS_IP=222.184.9.98&exit /b
set /a rand=%Random%%%(15+1-1)+1
if defined !server%rand%! goto :getserv
set KMS_IP=!server%rand%!
set !server%rand%!=1
:: Get IPv4 address of KMS server to use for the activation
works even if ICMP echo is disabled.
:: Microsoft and Antivirus's may flag the issue if public KMS server host name is directly used for the activation.
set /a server_num+=1
(for /f "delims=[] tokens=2" %%a in ('ping -4 -n 1 %KMS_IP% 2^>nul') do set "KMS_IP=%%a"
if [%KMS_IP%]==[!KMS_IP!] for /f "delims=[] tokens=2" %%# in ('pathping -4 -h 1 -n -p 1 -q 1 -w 1 %KMS_IP% 2^>nul') do set "KMS_IP=%%#"" (Indicator: "servers="), "KMS_IP%"
if defined notx86 (
%nul% reg add "HKLM\%SPPk%" /f /v KeyManagementServiceName /t REG_SZ /d "%KMS_IP%" /reg:32
%nul% reg add "HKLM\%SPPk%\%_oApp%" /f /v KeyManagementServiceName /t REG_SZ /d "%KMS_IP%" /reg:32
)
)
exit /b
::========================================================================================================================================
:_tasksetserv
:: Multi KMS servers integration and servers randomization
set srvlist=
set -=
set "srvlist=kms.kure%-%tru.com xincheng213%-%618.cn kms.six%-%yin.com kms.moec%-%lub.org kms.cgts%-%oft.com"
set "srvlist=%srvlist% kms.hen%-%g07.com kms.moey%-%uuko.com kms.lol%-%i.best kms.zhuxi%-%aole.org kms.ca%-%tqu.com"
set "srvlist=%srvlist% kms.lol%-%i.beer kms.ca%-%ry.tech kms.wx%-%lost.com kms.moeyu%-%uko.top kms.ghp%-%ym.com"
set n=1
for %%a in (%srvlist%) do (set %%a=&set server!n!=%%a&set /a n+=1)
set max_servers=15
set /a server_num=0
exit /b
:_taskgetserv
if %server_num% geq %max_servers% (set /a serve" (Indicator: "servers=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1095 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
- details
-
"====
:_Check_Status_wmi
:_Check_Status_wmi_txt:
: Begin batch script
@setlocal DisableDelayedExpansion
@echo off
@cls
mode con cols=100 lines=32
>nul 2>&1 powershell "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
title Check Activation Status [wmi]
:: change to 1 to use VBScript instead wmic.exe to access WMI
:: this option is automatically enabled for Windows 11 build 22483 and later
set WMI_VBS=0
set "_cmdf=%~f0"
if exist "%SystemRoot%\Sysnative\cmd.exe" (
setlocal EnableDelayedExpansion
start %SystemRoot%\Sysnative\cmd.exe /c ""!_cmdf!" "
exit /b
)
if exist "%SystemRoot%\SysArm32\cmd.exe" if /i %PROCESSOR_ARCHITECTURE%==AMD64 (
setlocal EnableDelayedExpansion
start %SystemRoot%\SysArm32\cmd.exe /c ""!_cmdf!" "
exit /b
)
color 07
title Check Activation Status [wmi]
set wspp=SoftwareLicensingProduct
set wsps=SoftwareLicensingService
set ospp=OfficeSoftwareProtectionPr" (Indicator: "wmic.exe")
""
set "Green="2F""
set "Blue="1F""
set "Yellow="6F""
set "Magenta="5F""
set "_Red="0C""
set "_Green="0A""
set "_Blue="09""
set "_White="07""
set "_Yellow="0E""
exit /b
:_Check_Status_wmi_txt2:
::========================================================================================================================================
----- Begin wsf script --->
<package>
<job id="WmiQuery">
<script language="VBScript">
If WScript.Arguments.Count = 3 Then
wExc = "Select " & WScript.Arguments.Item(2) & " from " & WScript.Arguments.Item(0) & " where " & WScript.Arguments.Item(1)
wGet = WScript.Arguments.Item(2)
Else
wExc = "Select " & WScript.Arguments.Item(1) & " from " & WScript.Arguments.Item(0)
wGet = WScript.Arguments.Item(1)
End If
Set objCol = GetObject("winmgmts:\\.\root\CIMV2").ExecQuery(wExc,,48)
For Each objItm in objCol
For each Prop in objItm." (Indicator: "root\cimv2"), "Properties_
If LCase(Prop.Name) = LCase(wGet) Then
WScript.Echo Prop.Name & "=" & Prop.Value
Exit For
End If
Next
Next
</script>
</job>
<job id="WmiMethod">
<script language="VBScript">
On Error Resume Next
wPath = WScript.Arguments.Item(0)
wMethod = WScript.Arguments.Item(1)
Set objCol = GetObject("winmgmts:\\.\root\CIMV2:" & wPath)
objCol.ExecMethod_(wMethod)
WScript.Quit Err.Number
</script>
</job>
<job id="WmiPKey">
<script language="VBScript">
On Error Resume Next
wExc = "SELECT Version FROM " & WScript.Arguments.Item(0)
wKey = WScript.Arguments.Item(1)
Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2").ExecQuery(wExc,,48)
For each colService in objWMIService
Exit For
Next
set objService = colService
objService.In" (Indicator: "root\cimv2"), "stallProductKey(wKey)
WScript.Quit Err.Number
</script>
</job>
<job id="XPDT">
<script language="VBScript">
WScript.Echo DateAdd("n", WScript.Arguments.Item(0)
Now)
</script>
</job>
<job id="WmiMulti">
<script language="VBScript">
If WScript.Arguments.Count = 3 Then
wExc = "Select " & WScript.Arguments.Item(2) & " from " & WScript.Arguments.Item(0) & " where " & WScript.Arguments.Item(1)
Else
wExc = "Select " & WScript.Arguments.Item(1) & " from " & WScript.Arguments.Item(0)
End If
Set objCol = GetObject("winmgmts:\\.\root\CIMV2").ExecQuery(wExc,,48)
For Each objItm in objCol
For each Prop in objItm.Properties_
WScript.Echo Prop.Name & "=" & Prop.Value
Next
Next
</script>
</job>
</package>
:_Check_Status_wmi_txt2:
:kacttxt:
:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" (Indicator: "root\cimv2") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Informative 5
-
Environment Awareness
-
Contains ability to read software policies
- details
- "WScript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
- source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
General
-
Overview of unique CLSIDs touched in registry
- details
-
"WScript.exe" touched "Object under which scriptlets may be created" (Path: "HKCU\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\PROGID")
"WScript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\PROGID") - source
- Registry Access
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.crackshash.com"
Pattern match: "www.crackshash.com"
Pattern match: "https://windowsaddict.ml"
Pattern match: "www.microsoft.com"
Pattern match: "pastebin.com/XTPt0JSC"
Pattern match: "https://windowsaddict.ml/readme-online-kms"
Pattern match: "pastebin.com/raw/cpdmr6HZ"
Pattern match: "https://windowsaddict.ml/readme-prog"
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"
Pattern match: "forum.ru-board.com/topic.cgi?forum=35&topic=81283&start=6080#19"
Pattern match: "stackoverflow.com/a/10407642"
Heuristic match: "Properties_
If LCase(Prop.Name) = LCase(wGet) Then
WScript.Echo Prop.Name & = & Prop.Value
Exit For
End If
Next
Next
</script>
</job>
<job id=Wmi"
Pattern match: "https://windowsaddict.ml/office-license-is-not-genuine"
Pattern match: "www.microsoft.com,one.one.one.one,resolver1.opendns.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"WScript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
CrowdStrike AI
File Details
MAS_1.5_AIO_CRC32_21D20776 {CracksHash}.cmd
- Filename
- MAS_1.5_AIO_CRC32_21D20776 {CracksHash}.cmd
- Size
- 1.7MiB (1791160 bytes)
- Type
- script wsf
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 73adfd819e6072ab5ed33c52d5578f73b12945a37c733f7fdcc6e50856329d87
- MD5
- 35aedbd12e08192430153c6e4af00b9f
- SHA1
- ba705f620046e489483f5369669e51d7812abcdc
- ssdeep
- 24576:qI3OiPLyZpRvavXZGkRaOGTOzdutMO+pixuOSOihJv0bXuFH9:PNj6qbGTOXqSfLvH9
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WScript.exe "C:\MAS_1.5_AIO_CRC32_21D20776_CracksHash_.cmd.wsf" (PID: 3588)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.