Overview

overview

9

Static

static

ACTIVATE__...95.exe

windows7_x64

8

ACTIVATE__...95.exe

windows10_x64

9

ACTIVATE__...95.exe

windows11_x64

8

Analysis

  • max time kernel
    468s
  • max time network
    252s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    30-01-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACTIVATE____SETUP__4695.exe

  • Size

    744KB

  • MD5

    849bf640bf914ec675b9477a802a22f9

  • SHA1

    e1a12595f8c9d48416ec342cd4037a32f3fdda24

  • SHA256

    5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4

  • SHA512

    763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe
    "C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
        PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < Nel.xls
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "imagename eq BullGuardCore.exe"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\SysWOW64\find.exe
            find /I /N "bullguardcore.exe"
            4⤵
              PID:788
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "imagename eq PSUAService.exe"
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
            • C:\Windows\SysWOW64\find.exe
              find /I /N "psuaservice.exe"
              4⤵
                PID:3736
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V /R "^HSpZWdXvufzDAYGXjZABuYRJLvHBPEtTIkAzCKbYUuhbCfMdrpLnpmdIqmgmIvGBkAVfbjxBBCGZLxicKsnFSFJoVSzecYfbmLjezbSQPlXHSd$" Questo.xls
                4⤵
                  PID:4736
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
                  Accostarmi.exe.pif x
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:472
                • C:\Windows\SysWOW64\waitfor.exe
                  waitfor /t 5 aRUpIzAL
                  4⤵
                    PID:1052
            • C:\Windows\System32\WaaSMedicAgent.exe
              C:\Windows\System32\WaaSMedicAgent.exe 9e25590de4b80355628001e19fad4e53 VWqDcBM/gUS1bXFtid5BQQ.0.1.0.3.0
              1⤵
              • Modifies data under HKEY_USERS
              PID:2568

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Process Discovery

            1
            T1057

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
              MD5

              c56b5f0201a3b3de53e561fe76912bfd

              SHA1

              2a4062e10a5de813f5688221dbeb3f3ff33eb417

              SHA256

              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

              SHA512

              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nel.xls
              MD5

              a338f121bc7c0acf5f297bf85f150b7f

              SHA1

              b1b4dd45417c0907dabf3cd93ea6410c73df5325

              SHA256

              4556a5e53c426abe5565342d9b091134ebc4aaaedafb00454f0a248ff78e1668

              SHA512

              fa6b633dd69bf0cc195b093417001517e3dbe22f516109a4180d853849741b44fe8fc00264135ab8686512dc8b58a01b7727f8c3a89de121b6a176a14f0485c0

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questo.xls
              MD5

              0d8fea82e82b1fa16b1dc714d106830c

              SHA1

              ee9b15e9c380bbd6ac6431aae8f4625fecb77bec

              SHA256

              36c088f98ef9b8fe659e23f01a15c72b6b9824faedbfd9ae78e00de536f80ed6

              SHA512

              de6dd75f8086aee2a50f4042586400b563dfe5a551195567a7ba3caaaf7c80342f47c6b452f1a97118b02eaf984c2cf350fbc2bf5b0194c6f147f84f3d268494

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.xls
              MD5

              cee0255c4b09a8487fb1d965c91b2769

              SHA1

              30e68f2c59d67c9dbde4366a91f07b6d2ad7a576

              SHA256

              5bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3

              SHA512

              d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              18633504d1d02fdd6ab81984751a095e

              SHA1

              bed8b98e3a2e64ed80c9e733c3cdc119cfa87857

              SHA256

              cfdf9bb639cd7a9751c3b475a908dbdac66f50d6ca5fe672b062f76bd1a4e232

              SHA512

              9d83eb74d4003c1bfcd83f51cc47b44393fdb84fdacfe36b7a7eb020cc81506ff04d3313414815670665a7d2f31eb2504e154d53b81aa830d5abe7371a099550

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\x
              MD5

              cee0255c4b09a8487fb1d965c91b2769

              SHA1

              30e68f2c59d67c9dbde4366a91f07b6d2ad7a576

              SHA256

              5bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3

              SHA512

              d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328

              Download Submit