Analysis
-
max time kernel
54s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 14:56
Behavioral task
behavioral1
Sample
Activator WinLoader.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Activator WinLoader.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
Activator WinLoader.exe
-
Size
3.8MB
-
MD5
323c0fd51071400b51eedb1be90a8188
-
SHA1
0efc35935957c25193bbe9a83ab6caa25a487ada
-
SHA256
2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
-
SHA512
4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
-
SSDEEP
49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bootsect.exepid process 1008 bootsect.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1536 takeown.exe 1008 icacls.exe 2016 takeown.exe 1324 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1388-54-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1388-132-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1388-149-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Activator WinLoader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Activator WinLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Activator WinLoader.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1536 takeown.exe 1008 icacls.exe 2016 takeown.exe 1324 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Activator WinLoader.exedescription ioc process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Activator WinLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Activator WinLoader.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Activator WinLoader.exepid process 1388 Activator WinLoader.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Activator WinLoader.exetakeown.exetakeown.exeshutdown.exeAUDIODG.EXEdescription pid process Token: 33 1388 Activator WinLoader.exe Token: SeIncBasePriorityPrivilege 1388 Activator WinLoader.exe Token: 33 1388 Activator WinLoader.exe Token: SeIncBasePriorityPrivilege 1388 Activator WinLoader.exe Token: SeTakeOwnershipPrivilege 1536 takeown.exe Token: SeTakeOwnershipPrivilege 2016 takeown.exe Token: SeShutdownPrivilege 1680 shutdown.exe Token: SeRemoteShutdownPrivilege 1680 shutdown.exe Token: 33 1712 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1712 AUDIODG.EXE Token: 33 1712 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1712 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Activator WinLoader.exepid process 1388 Activator WinLoader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Activator WinLoader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1388 wrote to memory of 1868 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1868 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1868 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1868 1388 Activator WinLoader.exe cmd.exe PID 1868 wrote to memory of 332 1868 cmd.exe cmd.exe PID 1868 wrote to memory of 332 1868 cmd.exe cmd.exe PID 1868 wrote to memory of 332 1868 cmd.exe cmd.exe PID 1868 wrote to memory of 332 1868 cmd.exe cmd.exe PID 332 wrote to memory of 1536 332 cmd.exe takeown.exe PID 332 wrote to memory of 1536 332 cmd.exe takeown.exe PID 332 wrote to memory of 1536 332 cmd.exe takeown.exe PID 332 wrote to memory of 1536 332 cmd.exe takeown.exe PID 1388 wrote to memory of 1540 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1540 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1540 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1540 1388 Activator WinLoader.exe cmd.exe PID 1540 wrote to memory of 1008 1540 cmd.exe icacls.exe PID 1540 wrote to memory of 1008 1540 cmd.exe icacls.exe PID 1540 wrote to memory of 1008 1540 cmd.exe icacls.exe PID 1540 wrote to memory of 1008 1540 cmd.exe icacls.exe PID 1388 wrote to memory of 1680 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1680 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1680 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1680 1388 Activator WinLoader.exe cmd.exe PID 1680 wrote to memory of 1820 1680 cmd.exe cmd.exe PID 1680 wrote to memory of 1820 1680 cmd.exe cmd.exe PID 1680 wrote to memory of 1820 1680 cmd.exe cmd.exe PID 1680 wrote to memory of 1820 1680 cmd.exe cmd.exe PID 1820 wrote to memory of 2016 1820 cmd.exe takeown.exe PID 1820 wrote to memory of 2016 1820 cmd.exe takeown.exe PID 1820 wrote to memory of 2016 1820 cmd.exe takeown.exe PID 1820 wrote to memory of 2016 1820 cmd.exe takeown.exe PID 1388 wrote to memory of 1164 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1164 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1164 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1164 1388 Activator WinLoader.exe cmd.exe PID 1164 wrote to memory of 1324 1164 cmd.exe icacls.exe PID 1164 wrote to memory of 1324 1164 cmd.exe icacls.exe PID 1164 wrote to memory of 1324 1164 cmd.exe icacls.exe PID 1164 wrote to memory of 1324 1164 cmd.exe icacls.exe PID 1388 wrote to memory of 848 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 848 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 848 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 848 1388 Activator WinLoader.exe cmd.exe PID 848 wrote to memory of 1448 848 cmd.exe cscript.exe PID 848 wrote to memory of 1448 848 cmd.exe cscript.exe PID 848 wrote to memory of 1448 848 cmd.exe cscript.exe PID 1388 wrote to memory of 1824 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1824 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1824 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1824 1388 Activator WinLoader.exe cmd.exe PID 1824 wrote to memory of 316 1824 cmd.exe cscript.exe PID 1824 wrote to memory of 316 1824 cmd.exe cscript.exe PID 1824 wrote to memory of 316 1824 cmd.exe cscript.exe PID 1388 wrote to memory of 896 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 896 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 896 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 896 1388 Activator WinLoader.exe cmd.exe PID 896 wrote to memory of 640 896 cmd.exe compact.exe PID 896 wrote to memory of 640 896 cmd.exe compact.exe PID 896 wrote to memory of 640 896 cmd.exe compact.exe PID 896 wrote to memory of 640 896 cmd.exe compact.exe PID 1388 wrote to memory of 1292 1388 Activator WinLoader.exe cmd.exe PID 1388 wrote to memory of 1292 1388 Activator WinLoader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activator WinLoader.exe"C:\Users\Admin\AppData\Local\Temp\Activator WinLoader.exe"1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"3⤵
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJG"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJG3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"2⤵
-
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "shutdown -r -t 0"2⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Acer.XRM-MSFilesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
C:\bootsect.exeFilesize
95KB
MD5d20f36f1cc513de588382d03c5592f4c
SHA1d675e04b0c80b29f426ff863c404f7d0dd1e8334
SHA2563adc90c1b65430a89d54aff161b6e0982c20795359a21d1c6e884308f25edb83
SHA512f5c642f222b73983bda2d2cdb8b02d9b319d32ca3b36e7d105ca44f500768387f60e3326fb489a3f0ae3e25115bce49a272d9ad59fed766087494328c4ee6b63
-
C:\bootsect.exeFilesize
95KB
MD5d20f36f1cc513de588382d03c5592f4c
SHA1d675e04b0c80b29f426ff863c404f7d0dd1e8334
SHA2563adc90c1b65430a89d54aff161b6e0982c20795359a21d1c6e884308f25edb83
SHA512f5c642f222b73983bda2d2cdb8b02d9b319d32ca3b36e7d105ca44f500768387f60e3326fb489a3f0ae3e25115bce49a272d9ad59fed766087494328c4ee6b63
-
\??\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJGFilesize
446KB
MD55b36054bbaee0ab650ccca480007a467
SHA1c892bf3c04d19f5aebf9c4e52773e5b3baf846ca
SHA25669f9732506342df1c05d7484be2fce49c2b6e56ffb30a3a6e1dc9dc0e5067814
SHA512a1ac555cbc6454f156eb1637c420ed8cf92a1bc40334f221e8ea4eafb7698d23a640aae969c8acca9666cdf859f2f4c702c36405b0e4185edb8a78bde3b66f55
-
memory/316-136-0x0000000000000000-mapping.dmp
-
memory/332-122-0x0000000000000000-mapping.dmp
-
memory/640-138-0x0000000000000000-mapping.dmp
-
memory/848-131-0x0000000000000000-mapping.dmp
-
memory/896-137-0x0000000000000000-mapping.dmp
-
memory/1008-143-0x0000000000000000-mapping.dmp
-
memory/1008-125-0x0000000000000000-mapping.dmp
-
memory/1164-129-0x0000000000000000-mapping.dmp
-
memory/1292-141-0x0000000000000000-mapping.dmp
-
memory/1324-130-0x0000000000000000-mapping.dmp
-
memory/1388-109-0x0000000002020000-0x0000000002040000-memory.dmpFilesize
128KB
-
memory/1388-77-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1388-149-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1388-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmpFilesize
8KB
-
memory/1388-56-0x0000000000670000-0x0000000000683000-memory.dmpFilesize
76KB
-
memory/1388-64-0x0000000000690000-0x00000000006A0000-memory.dmpFilesize
64KB
-
memory/1388-69-0x00000000006A0000-0x00000000006B2000-memory.dmpFilesize
72KB
-
memory/1388-119-0x0000000002380000-0x0000000002523000-memory.dmpFilesize
1.6MB
-
memory/1388-117-0x0000000073D31000-0x0000000073D33000-memory.dmpFilesize
8KB
-
memory/1388-132-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1388-85-0x0000000001FF0000-0x0000000002001000-memory.dmpFilesize
68KB
-
memory/1388-54-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1388-93-0x0000000001FD0000-0x0000000001FE0000-memory.dmpFilesize
64KB
-
memory/1388-101-0x0000000002010000-0x0000000002020000-memory.dmpFilesize
64KB
-
memory/1448-133-0x0000000000000000-mapping.dmp
-
memory/1536-123-0x0000000000000000-mapping.dmp
-
memory/1540-124-0x0000000000000000-mapping.dmp
-
memory/1556-146-0x0000000000000000-mapping.dmp
-
memory/1680-126-0x0000000000000000-mapping.dmp
-
memory/1680-147-0x0000000000000000-mapping.dmp
-
memory/1820-127-0x0000000000000000-mapping.dmp
-
memory/1824-135-0x0000000000000000-mapping.dmp
-
memory/1868-121-0x0000000000000000-mapping.dmp
-
memory/2016-128-0x0000000000000000-mapping.dmp