Analysis
-
max time kernel
300s -
max time network
256s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 19:18
Static task
static1
Behavioral task
behavioral1
Sample
Activator.exe
Resource
win10v20210408
General
-
Target
Activator.exe
-
Size
628KB
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
Activator.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Activator.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 22 IoCs
Processes:
Activator.exeActivator.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "abcd@gmail.com" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "abcd@gmail.com" Activator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158} Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "E54F-163B-0977C7-8ADE-2214" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "E54F-163B-0977C7-8ADE-2214" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "123456@gmail.com" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "A085-DC7C-C8B488-CB91-EC69" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin" Activator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158} Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Name = "Admin" Activator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40 Activator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158} Activator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40 Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\User Email = "123456@gmail.com" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "A085-DC7C-C8B488-CB91-EC69" Activator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158} Activator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40 Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "191C-2524-301C20-2339-4436" Activator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\License Key = "191C-2524-301C20-2339-4436" Activator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A08BF54-F86F-4DF5-8D36-E806076A5158}\Expire Date = 0000000020eeea40 Activator.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
werfault.exetaskmgr.exepid process 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 3840 werfault.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2948 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
werfault.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 3840 werfault.exe Token: SeBackupPrivilege 3840 werfault.exe Token: SeDebugPrivilege 3840 werfault.exe Token: SeDebugPrivilege 2948 taskmgr.exe Token: SeSystemProfilePrivilege 2948 taskmgr.exe Token: SeCreateGlobalPrivilege 2948 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Activator.exetaskmgr.exeActivator.exepid process 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 1220 Activator.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 1408 Activator.exe 1408 Activator.exe 1408 Activator.exe 1408 Activator.exe 1408 Activator.exe 1408 Activator.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe 2948 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Activator.exeActivator.exepid process 1220 Activator.exe 1408 Activator.exe 1408 Activator.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activator.exe"C:\Users\Admin\AppData\Local\Temp\Activator.exe"1⤵
- Drops file in Drivers directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a9268fdd09a048b49a353416ef000119 /t 1236 /p 12201⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Activator.exe"C:\Users\Admin\AppData\Local\Temp\Activator.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\0f5f12cd8f10420699255b8686fc42cf /t 1336 /p 14081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system32\drivers\etc\hostsMD5
dee2a423edf7020d91b55605d0a7e506
SHA12a189da98cc2cffc1cc7a43a31d07c379b5b22fb
SHA2566160eca7307cdbe8b5f43eceaa8c8069031752628e091d2218c7783a47bebd3f
SHA5127e09c9f711a5e1c442d4e3b5060f229e35c354bc8c8bfd24019e025a18af9100144049ca68d26085954f6650533b47905574be339d2da217e7323a67333be0d8
-
memory/1220-114-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1408-115-0x00000000005C0000-0x000000000066E000-memory.dmpFilesize
696KB