0f5ec45a5c9f6f0568a3bc438ffba4e2ea5cf1455971218683da3cf5f96a2fed

Resubmissions

17-01-2021 18:58

210117-3s32cywdms 8

16-01-2021 15:43

210116-j4agbeggzj 10

Analysis

max time kernel
144s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
16-01-2021 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activation.exe
Size

2.5MB
MD5

d7c5b21846b4cc58ff58ef5ce1d46cfa
SHA1

bc98a4f74b2c6efa3f62d0151e54edea4c9bc3da
SHA256

0f5ec45a5c9f6f0568a3bc438ffba4e2ea5cf1455971218683da3cf5f96a2fed
SHA512

c557ad7051ef4c21b695b340f0aa299c033bb11bab6bf241e174fe40d08076fa17853f605c1d0bfc295a02a2bb5a0892e0438c65a92f35217b1f8e9b82d247f9

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Activation.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "2"	Activation.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Activation.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Activation.exe

pid process

4048 Activation.exe

pid	process
4048	Activation.exe

Suspicious use of AdjustPrivilegeToken 462 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe
Token: SeSecurityPrivilege	3636	WMIC.exe
Token: SeTakeOwnershipPrivilege	3636	WMIC.exe
Token: SeLoadDriverPrivilege	3636	WMIC.exe
Token: SeSystemProfilePrivilege	3636	WMIC.exe
Token: SeSystemtimePrivilege	3636	WMIC.exe
Token: SeProfSingleProcessPrivilege	3636	WMIC.exe
Token: SeIncBasePriorityPrivilege	3636	WMIC.exe
Token: SeCreatePagefilePrivilege	3636	WMIC.exe
Token: SeBackupPrivilege	3636	WMIC.exe
Token: SeRestorePrivilege	3636	WMIC.exe
Token: SeShutdownPrivilege	3636	WMIC.exe
Token: SeDebugPrivilege	3636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3636	WMIC.exe
Token: SeRemoteShutdownPrivilege	3636	WMIC.exe
Token: SeUndockPrivilege	3636	WMIC.exe
Token: SeManageVolumePrivilege	3636	WMIC.exe
Token: 33	3636	WMIC.exe
Token: 34	3636	WMIC.exe
Token: 35	3636	WMIC.exe
Token: 36	3636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Activation.exe

pid process

4048 Activation.exe

pid	process
4048	Activation.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

Activation.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 3772	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3772	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3772	4048	Activation.exe	cmd.exe
PID 3772 wrote to memory of 4064	3772	cmd.exe	WMIC.exe
PID 3772 wrote to memory of 4064	3772	cmd.exe	WMIC.exe
PID 3772 wrote to memory of 4064	3772	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 1336	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1336	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1336	4048	Activation.exe	cmd.exe
PID 1336 wrote to memory of 3636	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 3636	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 3636	1336	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3736	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3736	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3736	4048	Activation.exe	cmd.exe
PID 3736 wrote to memory of 1392	3736	cmd.exe	WMIC.exe
PID 3736 wrote to memory of 1392	3736	cmd.exe	WMIC.exe
PID 3736 wrote to memory of 1392	3736	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 2032	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 2032	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 2032	4048	Activation.exe	cmd.exe
PID 2032 wrote to memory of 1648	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 1648	2032	cmd.exe	WMIC.exe
PID 2032 wrote to memory of 1648	2032	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3516	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3516	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3516	4048	Activation.exe	cmd.exe
PID 3516 wrote to memory of 2136	3516	cmd.exe	WMIC.exe
PID 3516 wrote to memory of 2136	3516	cmd.exe	WMIC.exe
PID 3516 wrote to memory of 2136	3516	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 1320	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1320	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1320	4048	Activation.exe	cmd.exe
PID 1320 wrote to memory of 2188	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 2188	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 2188	1320	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3928	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3928	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3928	4048	Activation.exe	cmd.exe
PID 3928 wrote to memory of 3724	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3724	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3724	3928	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 2040	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 2040	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 2040	4048	Activation.exe	cmd.exe
PID 2040 wrote to memory of 3584	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 3584	2040	cmd.exe	WMIC.exe
PID 2040 wrote to memory of 3584	2040	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 1364	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1364	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 1364	4048	Activation.exe	cmd.exe
PID 1364 wrote to memory of 2072	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 2072	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 2072	1364	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3524	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3524	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3524	4048	Activation.exe	cmd.exe
PID 3524 wrote to memory of 3728	3524	cmd.exe	WMIC.exe
PID 3524 wrote to memory of 3728	3524	cmd.exe	WMIC.exe
PID 3524 wrote to memory of 3728	3524	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3312	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3312	4048	Activation.exe	cmd.exe
PID 4048 wrote to memory of 3312	4048	Activation.exe	cmd.exe
PID 3312 wrote to memory of 3660	3312	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\Activation.exe"
1⤵
- Modifies security service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' get started,state /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call startservice
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call stopservice
3⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wuauserv' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wuauserv' call stopservice
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='ClipSVC' get started,state /value
3⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='ClipSVC' call startservice
3⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='ClipSVC' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='ClipSVC' call stopservice
3⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wlidsvc' get started,state /value
3⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' call startservice>C:\Users\Admin\AppData\Local\Temp\svctest.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wlidsvc' call startservice
3⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='wlidsvc' call stopservice
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='wlidsvc' call stopservice
3⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C wmic service where name='sppsvc' get started,state /value>"C:\Users\Admin\AppData\Local\Temp\svccheck.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic service where name='sppsvc' get started,state /value
3⤵
PID:3660

C:\Windows\System32\cmd.exe
C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs)>>C:\Users\Admin\AppData\Local\Temp\kms.log
2⤵
PID:1172

C:\Windows\system32\cscript.exe
cscript.exe /nologo C:\Users\Admin\AppData\Local\Temp\PID8.vbs
3⤵
PID:1176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PID8.vbs
MD5
78d143bc6c1968d0a228b29e823d051e

SHA1
a11dfa069c0b49487f55b32e8e9e89fad3796b5b

SHA256
dca511dfdbaadbad34a89f0fa4c86de1a8a37fedc326f7bc17a746d44b0fbaff

SHA512
af82ab5a8855576f0f29a681b07befd456ebca7e381e8c902e9151ceabf6c59035d02ead07fc98b2e601ea11746887664acee73f39ee2c029685289f9c519068

Download Submit
C:\Users\Admin\AppData\Local\Temp\kms.log
MD5
7fe0b758af0207e3dae31e0618c54afb

SHA1
64de9a12c49e7c810adb5af08ae83e10fb2362df

SHA256
8fb528281a0893afe0333cfa06673559658d046ef7bde09e83aeebc2126e0e29

SHA512
b1811b3e976dd3a28faf2ef33d9b48b1572bc1aed3ce6ec2f7c9d21f337f4336836d48a7b5f049f64a7bc80b19015d4b41fb24d731f4310359796459ab0de04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
MD5
b4cf1eee929f22c00ac2f5720ef7cfda

SHA1
d003a0ceaa5062863e2d2677b11f559ef32caa5d

SHA256
9c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721

SHA512
db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
MD5
b4cf1eee929f22c00ac2f5720ef7cfda

SHA1
d003a0ceaa5062863e2d2677b11f559ef32caa5d

SHA256
9c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721

SHA512
db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
MD5
50ba16b930ad981fbbf1314a5fd824c5

SHA1
bbe538f2f30c674426b20e00cd408d9f17e54a65

SHA256
ae782d53030dd93bc8a483f5bf7ace13e8b87d9135a5cd3544aafc47aa1d19da

SHA512
d3163bce4a9513fa84fabab6ba1acf5de90161207caccbc57079b9a08221d6dcad5d418a41ad5bddaed8ee81dea1f1a69340c4ee226cadd12e0ff81ac91bfbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\svccheck.txt
MD5
b4cf1eee929f22c00ac2f5720ef7cfda

SHA1
d003a0ceaa5062863e2d2677b11f559ef32caa5d

SHA256
9c3a3f6432a7109b262cf38a5f50f4701139d6b6420eceb484aa86b534077721

SHA512
db3ab178b773f63909b6a759e3a91389991d2844f97b63e83b759187e5d2f31a16df4fb1512493ec74d944a8baa9a83559ab9b99a87171182ec74c556a2df620

Download Submit
C:\Users\Admin\AppData\Local\Temp\svctest.txt
MD5
a911f60ad9dad41fb6d489e3d6beeabb

SHA1
107039dd9cde2fff8bdfc78d227a573795fc8580

SHA256
ba03df561c1e1e78fcec49cd4ea47c41bf1af70c6eaf8fd9c0d36667556606c2

SHA512
5a766fa2ff4f0b315f5afcfa8476b3695582ae5f148267511b23d9999aff5b7cae162300d4614a0b3d5f7dde107d39695e1b23bbedb38c39936869f6febbcfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svctest.txt
MD5
7fdc5527e6edb98518893c2d8466b231

SHA1
4bf37636f6afc1134a63fc01fbc557e92f1164da

SHA256
9b2b2523076f38a8c53cb72fd89c92c3a4d15755e22e74a978ca2cf3c7f0ffec

SHA512
4e9fbccf20b4b67e5d482202b91085623d6ff1a97f575450a530e8ca767b51ac23896914b416f97d6d74b8470596403a8251026b774b2090144f9afe2ba66134

Download Submit
C:\Users\Admin\AppData\Local\Temp\svctest.txt
MD5
c4438059ec538dc066f799f6f5103762

SHA1
068f0cf848c14067dce3f071e677710c1df91964

SHA256
de3df6b8209cfb41eeaf52c6d4dd93f42af2cdbd011ba16988949a10b7c66270

SHA512
08a5976bddc2e4bcd6b104d4258022eef734646983c090a49a0606f343939c87058c5f4e0b892a33534e387aea8cb38f525cca826f2db79e2455cf0cc1e7b588

Download Submit
memory/1172-31-0x0000000000000000-mapping.dmp

Download
memory/1176-32-0x0000000000000000-mapping.dmp

Download
memory/1320-15-0x0000000000000000-mapping.dmp

Download
memory/1336-5-0x0000000000000000-mapping.dmp

Download
memory/1364-23-0x0000000000000000-mapping.dmp

Download
memory/1392-9-0x0000000000000000-mapping.dmp

Download
memory/1648-11-0x0000000000000000-mapping.dmp

Download
memory/2032-10-0x0000000000000000-mapping.dmp

Download
memory/2040-20-0x0000000000000000-mapping.dmp

Download
memory/2072-24-0x0000000000000000-mapping.dmp

Download
memory/2136-13-0x0000000000000000-mapping.dmp

Download
memory/2188-16-0x0000000000000000-mapping.dmp

Download
memory/3312-28-0x0000000000000000-mapping.dmp

Download
memory/3516-12-0x0000000000000000-mapping.dmp

Download
memory/3524-26-0x0000000000000000-mapping.dmp

Download
memory/3584-21-0x0000000000000000-mapping.dmp

Download
memory/3636-6-0x0000000000000000-mapping.dmp

Download
memory/3660-29-0x0000000000000000-mapping.dmp

Download
memory/3724-19-0x0000000000000000-mapping.dmp

Download
memory/3728-27-0x0000000000000000-mapping.dmp

Download
memory/3736-8-0x0000000000000000-mapping.dmp

Download
memory/3772-2-0x0000000000000000-mapping.dmp

Download
memory/3928-18-0x0000000000000000-mapping.dmp

Download
memory/4064-3-0x0000000000000000-mapping.dmp

Download