edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f

General

Target

Activator.exe
Size

628KB
MD5

05d594d09d9da2815c1be83eed268fca
SHA1

725806deac12c65566e56e4c09eaa5cfa056a039
SHA256

edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
SHA512

450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

Activator.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Activator.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Activator.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 22 IoCs

Processes:

Activator.exeActivator.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "abcd@gmail.com"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "abcd@gmail.com"	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "E54F-163B-0977C7-8ADE-2214"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "E54F-163B-0977C7-8ADE-2214"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "123456@gmail.com"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "A085-DC7C-C8B488-CB91-EC69"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin"	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin"	Activator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}	Activator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "123456@gmail.com"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "A085-DC7C-C8B488-CB91-EC69"	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}	Activator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "191C-2524-301C20-2339-4436"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "191C-2524-301C20-2339-4436"	Activator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40	Activator.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

werfault.exetaskmgr.exe

pid	process
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
3840	werfault.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2948 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

werfault.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	3840	werfault.exe
Token: SeBackupPrivilege	3840	werfault.exe
Token: SeDebugPrivilege	3840	werfault.exe
Token: SeDebugPrivilege	2948	taskmgr.exe
Token: SeSystemProfilePrivilege	2948	taskmgr.exe
Token: SeCreateGlobalPrivilege	2948	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Activator.exetaskmgr.exeActivator.exe

pid	process
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
1220	Activator.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
1408	Activator.exe
1408	Activator.exe
1408	Activator.exe
1408	Activator.exe
1408	Activator.exe
1408	Activator.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe
2948	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Activator.exeActivator.exe

pid process

1220 Activator.exe
1408 Activator.exe
1408 Activator.exe

C:\Users\Admin\AppData\Local\Temp\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.exe"
1⤵
- Drops file in Drivers directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3732

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a9268fdd09a048b49a353416ef000119 /t 1236 /p 1220
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Users\Admin\AppData\Local\Temp\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\0f5f12cd8f10420699255b8686fc42cf /t 1336 /p 1408
1⤵
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts
MD5
dee2a423edf7020d91b55605d0a7e506

SHA1
2a189da98cc2cffc1cc7a43a31d07c379b5b22fb

SHA256
6160eca7307cdbe8b5f43eceaa8c8069031752628e091d2218c7783a47bebd3f

SHA512
7e09c9f711a5e1c442d4e3b5060f229e35c354bc8c8bfd24019e025a18af9100144049ca68d26085954f6650533b47905574be339d2da217e7323a67333be0d8

Download Submit
memory/1220-114-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1408-115-0x00000000005C0000-0x000000000066E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads