Analysis
-
max time kernel
144s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 15:43
Static task
static1
Behavioral task
behavioral1
Sample
Activation.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Activation.exe
Resource
win10v20201028
General
-
Target
Activation.exe
-
Size
2.5MB
-
MD5
d7c5b21846b4cc58ff58ef5ce1d46cfa
-
SHA1
bc98a4f74b2c6efa3f62d0151e54edea4c9bc3da
-
SHA256
0f5ec45a5c9f6f0568a3bc438ffba4e2ea5cf1455971218683da3cf5f96a2fed
-
SHA512
c557ad7051ef4c21b695b340f0aa299c033bb11bab6bf241e174fe40d08076fa17853f605c1d0bfc295a02a2bb5a0892e0438c65a92f35217b1f8e9b82d247f9
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
Activation.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "2" Activation.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Activation.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Activation.exepid process 4048 Activation.exe -
Suspicious use of AdjustPrivilegeToken 462 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4064 WMIC.exe Token: SeSecurityPrivilege 4064 WMIC.exe Token: SeTakeOwnershipPrivilege 4064 WMIC.exe Token: SeLoadDriverPrivilege 4064 WMIC.exe Token: SeSystemProfilePrivilege 4064 WMIC.exe Token: SeSystemtimePrivilege 4064 WMIC.exe Token: SeProfSingleProcessPrivilege 4064 WMIC.exe Token: SeIncBasePriorityPrivilege 4064 WMIC.exe Token: SeCreatePagefilePrivilege 4064 WMIC.exe Token: SeBackupPrivilege 4064 WMIC.exe Token: SeRestorePrivilege 4064 WMIC.exe Token: SeShutdownPrivilege 4064 WMIC.exe Token: SeDebugPrivilege 4064 WMIC.exe Token: SeSystemEnvironmentPrivilege 4064 WMIC.exe Token: SeRemoteShutdownPrivilege 4064 WMIC.exe Token: SeUndockPrivilege 4064 WMIC.exe Token: SeManageVolumePrivilege 4064 WMIC.exe Token: 33 4064 WMIC.exe Token: 34 4064 WMIC.exe Token: 35 4064 WMIC.exe Token: 36 4064 WMIC.exe Token: SeIncreaseQuotaPrivilege 4064 WMIC.exe Token: SeSecurityPrivilege 4064 WMIC.exe Token: SeTakeOwnershipPrivilege 4064 WMIC.exe Token: SeLoadDriverPrivilege 4064 WMIC.exe Token: SeSystemProfilePrivilege 4064 WMIC.exe Token: SeSystemtimePrivilege 4064 WMIC.exe Token: SeProfSingleProcessPrivilege 4064 WMIC.exe Token: SeIncBasePriorityPrivilege 4064 WMIC.exe Token: SeCreatePagefilePrivilege 4064 WMIC.exe Token: SeBackupPrivilege 4064 WMIC.exe Token: SeRestorePrivilege 4064 WMIC.exe Token: SeShutdownPrivilege 4064 WMIC.exe Token: SeDebugPrivilege 4064 WMIC.exe Token: SeSystemEnvironmentPrivilege 4064 WMIC.exe Token: SeRemoteShutdownPrivilege 4064 WMIC.exe Token: SeUndockPrivilege 4064 WMIC.exe Token: SeManageVolumePrivilege 4064 WMIC.exe Token: 33 4064 WMIC.exe Token: 34 4064 WMIC.exe Token: 35 4064 WMIC.exe Token: 36 4064 WMIC.exe Token: SeIncreaseQuotaPrivilege 3636 WMIC.exe Token: SeSecurityPrivilege 3636 WMIC.exe Token: SeTakeOwnershipPrivilege 3636 WMIC.exe Token: SeLoadDriverPrivilege 3636 WMIC.exe Token: SeSystemProfilePrivilege 3636 WMIC.exe Token: SeSystemtimePrivilege 3636 WMIC.exe Token: SeProfSingleProcessPrivilege 3636 WMIC.exe Token: SeIncBasePriorityPrivilege 3636 WMIC.exe Token: SeCreatePagefilePrivilege 3636 WMIC.exe Token: SeBackupPrivilege 3636 WMIC.exe Token: SeRestorePrivilege 3636 WMIC.exe Token: SeShutdownPrivilege 3636 WMIC.exe Token: SeDebugPrivilege 3636 WMIC.exe Token: SeSystemEnvironmentPrivilege 3636 WMIC.exe Token: SeRemoteShutdownPrivilege 3636 WMIC.exe Token: SeUndockPrivilege 3636 WMIC.exe Token: SeManageVolumePrivilege 3636 WMIC.exe Token: 33 3636 WMIC.exe Token: 34 3636 WMIC.exe Token: 35 3636 WMIC.exe Token: 36 3636 WMIC.exe Token: SeIncreaseQuotaPrivilege 3636 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Activation.exepid process 4048 Activation.exe -
Suspicious use of WriteProcessMemory 70 IoCs
Processes:
Activation.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4048 wrote to memory of 3772 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3772 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3772 4048 Activation.exe cmd.exe PID 3772 wrote to memory of 4064 3772 cmd.exe WMIC.exe PID 3772 wrote to memory of 4064 3772 cmd.exe WMIC.exe PID 3772 wrote to memory of 4064 3772 cmd.exe WMIC.exe PID 4048 wrote to memory of 1336 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1336 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1336 4048 Activation.exe cmd.exe PID 1336 wrote to memory of 3636 1336 cmd.exe WMIC.exe PID 1336 wrote to memory of 3636 1336 cmd.exe WMIC.exe PID 1336 wrote to memory of 3636 1336 cmd.exe WMIC.exe PID 4048 wrote to memory of 3736 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3736 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3736 4048 Activation.exe cmd.exe PID 3736 wrote to memory of 1392 3736 cmd.exe WMIC.exe PID 3736 wrote to memory of 1392 3736 cmd.exe WMIC.exe PID 3736 wrote to memory of 1392 3736 cmd.exe WMIC.exe PID 4048 wrote to memory of 2032 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 2032 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 2032 4048 Activation.exe cmd.exe PID 2032 wrote to memory of 1648 2032 cmd.exe WMIC.exe PID 2032 wrote to memory of 1648 2032 cmd.exe WMIC.exe PID 2032 wrote to memory of 1648 2032 cmd.exe WMIC.exe PID 4048 wrote to memory of 3516 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3516 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3516 4048 Activation.exe cmd.exe PID 3516 wrote to memory of 2136 3516 cmd.exe WMIC.exe PID 3516 wrote to memory of 2136 3516 cmd.exe WMIC.exe PID 3516 wrote to memory of 2136 3516 cmd.exe WMIC.exe PID 4048 wrote to memory of 1320 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1320 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1320 4048 Activation.exe cmd.exe PID 1320 wrote to memory of 2188 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 2188 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 2188 1320 cmd.exe WMIC.exe PID 4048 wrote to memory of 3928 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3928 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3928 4048 Activation.exe cmd.exe PID 3928 wrote to memory of 3724 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3724 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3724 3928 cmd.exe WMIC.exe PID 4048 wrote to memory of 2040 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 2040 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 2040 4048 Activation.exe cmd.exe PID 2040 wrote to memory of 3584 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 3584 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 3584 2040 cmd.exe WMIC.exe PID 4048 wrote to memory of 1364 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1364 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 1364 4048 Activation.exe cmd.exe PID 1364 wrote to memory of 2072 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 2072 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 2072 1364 cmd.exe WMIC.exe PID 4048 wrote to memory of 3524 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3524 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3524 4048 Activation.exe cmd.exe PID 3524 wrote to memory of 3728 3524 cmd.exe WMIC.exe PID 3524 wrote to memory of 3728 3524 cmd.exe WMIC.exe PID 3524 wrote to memory of 3728 3524 cmd.exe WMIC.exe PID 4048 wrote to memory of 3312 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3312 4048 Activation.exe cmd.exe PID 4048 wrote to memory of 3312 4048 Activation.exe cmd.exe PID 3312 wrote to memory of 3660 3312 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activation.exe"C:\Users\Admin\AppData\Local\Temp\Activation.exe"1⤵
- Modifies security service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wuauserv' get started,state /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wuauserv' call startservice3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wuauserv' call stopservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wuauserv' call stopservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='ClipSVC' get started,state /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='ClipSVC' call startservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' call stopservice2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='ClipSVC' call stopservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wlidsvc' get started,state /value3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wlidsvc' call startservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' call stopservice2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='wlidsvc' call stopservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C wmic service where name='sppsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic service where name='sppsvc' get started,state /value3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs)>>C:\Users\Admin\AppData\Local\Temp\kms.log2⤵
-
C:\Windows\system32\cscript.execscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PID8.vbsMD5
78d143bc6c1968d0a228b29e823d051e
SHA1a11dfa069c0b49487f55b32e8e9e89fad3796b5b
SHA256dca511dfdbaadbad34a89f0fa4c86de1a8a37fedc326f7bc17a746d44b0fbaff
SHA512af82ab5a8855576f0f29a681b07befd456ebca7e381e8c902e9151ceabf6c59035d02ead07fc98b2e601ea11746887664acee73f39ee2c029685289f9c519068
-
C:\Users\Admin\AppData\Local\Temp\kms.logMD5
7fe0b758af0207e3dae31e0618c54afb
SHA164de9a12c49e7c810adb5af08ae83e10fb2362df
SHA2568fb528281a0893afe0333cfa06673559658d046ef7bde09e83aeebc2126e0e29
SHA512b1811b3e976dd3a28faf2ef33d9b48b1572bc1aed3ce6ec2f7c9d21f337f4336836d48a7b5f049f64a7bc80b19015d4b41fb24d731f4310359796459ab0de04a
-
C:\Users\Admin\AppData\Local\Temp\svccheck.txtMD5
b4cf1eee929f22c00ac2f5720ef7cfda
SHA1d003a0ceaa5062863e2d2677b11f559ef32caa5d
SHA2569c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721
SHA512db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620
-
C:\Users\Admin\AppData\Local\Temp\svccheck.txtMD5
b4cf1eee929f22c00ac2f5720ef7cfda
SHA1d003a0ceaa5062863e2d2677b11f559ef32caa5d
SHA2569c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721
SHA512db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620
-
C:\Users\Admin\AppData\Local\Temp\svccheck.txtMD5
50ba16b930ad981fbbf1314a5fd824c5
SHA1bbe538f2f30c674426b20e00cd408d9f17e54a65
SHA256ae782d53030dd93bc8a483f5bf7ace13e8b87d9135a5cd3544aafc47aa1d19da
SHA512d3163bce4a9513fa84fabab6ba1acf5de90161207caccbc57079b9a08221d6dcad5d418a41ad5bddaed8ee81dea1f1a69340c4ee226cadd12e0ff81ac91bfbff
-
C:\Users\Admin\AppData\Local\Temp\svccheck.txtMD5
b4cf1eee929f22c00ac2f5720ef7cfda
SHA1d003a0ceaa5062863e2d2677b11f559ef32caa5d
SHA2569c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721
SHA512db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620
-
C:\Users\Admin\AppData\Local\Temp\svctest.txtMD5
a911f60ad9dad41fb6d489e3d6beeabb
SHA1107039dd9cde2fff8bdfc78d227a573795fc8580
SHA256ba03df561c1e1e78fcec49cd4ea47c41bf1af70c6eaf8fd9c0d36667556606c2
SHA5125a766fa2ff4f0b315f5afcfa8476b3695582ae5f148267511b23d9999aff5b7cae162300d4614a0b3d5f7dde107d39695e1b23bbedb38c39936869f6febbcfe7
-
C:\Users\Admin\AppData\Local\Temp\svctest.txtMD5
7fdc5527e6edb98518893c2d8466b231
SHA14bf37636f6afc1134a63fc01fbc557e92f1164da
SHA2569b2b2523076f38a8c53cb72fd89c92c3a4d15755e22e74a978ca2cf3c7f0ffec
SHA5124e9fbccf20b4b67e5d482202b91085623d6ff1a97f575450a530e8ca767b51ac23896914b416f97d6d74b8470596403a8251026b774b2090144f9afe2ba66134
-
C:\Users\Admin\AppData\Local\Temp\svctest.txtMD5
c4438059ec538dc066f799f6f5103762
SHA1068f0cf848c14067dce3f071e677710c1df91964
SHA256de3df6b8209cfb41eeaf52c6d4dd93f42af2cdbd011ba16988949a10b7c66270
SHA51208a5976bddc2e4bcd6b104d4258022eef734646983c090a49a0606f343939c87058c5f4e0b892a33534e387aea8cb38f525cca826f2db79e2455cf0cc1e7b588
-
memory/1172-31-0x0000000000000000-mapping.dmp
-
memory/1176-32-0x0000000000000000-mapping.dmp
-
memory/1320-15-0x0000000000000000-mapping.dmp
-
memory/1336-5-0x0000000000000000-mapping.dmp
-
memory/1364-23-0x0000000000000000-mapping.dmp
-
memory/1392-9-0x0000000000000000-mapping.dmp
-
memory/1648-11-0x0000000000000000-mapping.dmp
-
memory/2032-10-0x0000000000000000-mapping.dmp
-
memory/2040-20-0x0000000000000000-mapping.dmp
-
memory/2072-24-0x0000000000000000-mapping.dmp
-
memory/2136-13-0x0000000000000000-mapping.dmp
-
memory/2188-16-0x0000000000000000-mapping.dmp
-
memory/3312-28-0x0000000000000000-mapping.dmp
-
memory/3516-12-0x0000000000000000-mapping.dmp
-
memory/3524-26-0x0000000000000000-mapping.dmp
-
memory/3584-21-0x0000000000000000-mapping.dmp
-
memory/3636-6-0x0000000000000000-mapping.dmp
-
memory/3660-29-0x0000000000000000-mapping.dmp
-
memory/3724-19-0x0000000000000000-mapping.dmp
-
memory/3728-27-0x0000000000000000-mapping.dmp
-
memory/3736-8-0x0000000000000000-mapping.dmp
-
memory/3772-2-0x0000000000000000-mapping.dmp
-
memory/3928-18-0x0000000000000000-mapping.dmp
-
memory/4064-3-0x0000000000000000-mapping.dmp