2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

Reason

Machine shutdown

General

Target

Activator WinLoader.exe
Size

3.8MB
MD5

323c0fd51071400b51eedb1be90a8188
SHA1

0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512

4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
SSDEEP

49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bootsect.exe

pid process

1008 bootsect.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1536 takeown.exe
1008 icacls.exe
2016 takeown.exe
1324 icacls.exe

pid	process
1008	bootsect.exe

pid	process
1536	takeown.exe
1008	icacls.exe
2016	takeown.exe
1324	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1388-54-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1388-132-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1388-149-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Activator WinLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator WinLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Activator WinLoader.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1536 takeown.exe
1008 icacls.exe
2016 takeown.exe
1324 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1536	takeown.exe
1008	icacls.exe
2016	takeown.exe
1324	icacls.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Activator WinLoader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Activator WinLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Activator WinLoader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Activator WinLoader.exe

pid process

1388 Activator WinLoader.exe

pid	process
1388	Activator WinLoader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Activator WinLoader.exetakeown.exetakeown.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: 33	1388	Activator WinLoader.exe
Token: SeIncBasePriorityPrivilege	1388	Activator WinLoader.exe
Token: 33	1388	Activator WinLoader.exe
Token: SeIncBasePriorityPrivilege	1388	Activator WinLoader.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeShutdownPrivilege	1680	shutdown.exe
Token: SeRemoteShutdownPrivilege	1680	shutdown.exe
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Activator WinLoader.exe

pid process

1388 Activator WinLoader.exe

pid	process
1388	Activator WinLoader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Activator WinLoader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 1868	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1868	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1868	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1868	1388	Activator WinLoader.exe	cmd.exe
PID 1868 wrote to memory of 332	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 332	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 332	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 332	1868	cmd.exe	cmd.exe
PID 332 wrote to memory of 1536	332	cmd.exe	takeown.exe
PID 332 wrote to memory of 1536	332	cmd.exe	takeown.exe
PID 332 wrote to memory of 1536	332	cmd.exe	takeown.exe
PID 332 wrote to memory of 1536	332	cmd.exe	takeown.exe
PID 1388 wrote to memory of 1540	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1540	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1540	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1540	1388	Activator WinLoader.exe	cmd.exe
PID 1540 wrote to memory of 1008	1540	cmd.exe	icacls.exe
PID 1540 wrote to memory of 1008	1540	cmd.exe	icacls.exe
PID 1540 wrote to memory of 1008	1540	cmd.exe	icacls.exe
PID 1540 wrote to memory of 1008	1540	cmd.exe	icacls.exe
PID 1388 wrote to memory of 1680	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	Activator WinLoader.exe	cmd.exe
PID 1680 wrote to memory of 1820	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 1820	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 1820	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 1820	1680	cmd.exe	cmd.exe
PID 1820 wrote to memory of 2016	1820	cmd.exe	takeown.exe
PID 1820 wrote to memory of 2016	1820	cmd.exe	takeown.exe
PID 1820 wrote to memory of 2016	1820	cmd.exe	takeown.exe
PID 1820 wrote to memory of 2016	1820	cmd.exe	takeown.exe
PID 1388 wrote to memory of 1164	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1164	1388	Activator WinLoader.exe	cmd.exe
PID 1164 wrote to memory of 1324	1164	cmd.exe	icacls.exe
PID 1164 wrote to memory of 1324	1164	cmd.exe	icacls.exe
PID 1164 wrote to memory of 1324	1164	cmd.exe	icacls.exe
PID 1164 wrote to memory of 1324	1164	cmd.exe	icacls.exe
PID 1388 wrote to memory of 848	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 848	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 848	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 848	1388	Activator WinLoader.exe	cmd.exe
PID 848 wrote to memory of 1448	848	cmd.exe	cscript.exe
PID 848 wrote to memory of 1448	848	cmd.exe	cscript.exe
PID 848 wrote to memory of 1448	848	cmd.exe	cscript.exe
PID 1388 wrote to memory of 1824	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1824	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1824	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1824	1388	Activator WinLoader.exe	cmd.exe
PID 1824 wrote to memory of 316	1824	cmd.exe	cscript.exe
PID 1824 wrote to memory of 316	1824	cmd.exe	cscript.exe
PID 1824 wrote to memory of 316	1824	cmd.exe	cscript.exe
PID 1388 wrote to memory of 896	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 896	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 896	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 896	1388	Activator WinLoader.exe	cmd.exe
PID 896 wrote to memory of 640	896	cmd.exe	compact.exe
PID 896 wrote to memory of 640	896	cmd.exe	compact.exe
PID 896 wrote to memory of 640	896	cmd.exe	compact.exe
PID 896 wrote to memory of 640	896	cmd.exe	compact.exe
PID 1388 wrote to memory of 1292	1388	Activator WinLoader.exe	cmd.exe
PID 1388 wrote to memory of 1292	1388	Activator WinLoader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Activator WinLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Activator WinLoader.exe"
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1324

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
3⤵
PID:1448

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
3⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJG"
2⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJG
3⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
2⤵
PID:1292

C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
3⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
2⤵
PID:1556

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS
Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\bootsect.exe
Filesize
95KB

MD5
d20f36f1cc513de588382d03c5592f4c

SHA1
d675e04b0c80b29f426ff863c404f7d0dd1e8334

SHA256
3adc90c1b65430a89d54aff161b6e0982c20795359a21d1c6e884308f25edb83

SHA512
f5c642f222b73983bda2d2cdb8b02d9b319d32ca3b36e7d105ca44f500768387f60e3326fb489a3f0ae3e25115bce49a272d9ad59fed766087494328c4ee6b63

Download Submit
C:\bootsect.exe
Filesize
95KB

MD5
d20f36f1cc513de588382d03c5592f4c

SHA1
d675e04b0c80b29f426ff863c404f7d0dd1e8334

SHA256
3adc90c1b65430a89d54aff161b6e0982c20795359a21d1c6e884308f25edb83

SHA512
f5c642f222b73983bda2d2cdb8b02d9b319d32ca3b36e7d105ca44f500768387f60e3326fb489a3f0ae3e25115bce49a272d9ad59fed766087494328c4ee6b63

Download Submit
\??\Volume{6abee743-1a82-11ed-8290-806e6f6e6963}\WNZJG
Filesize
446KB

MD5
5b36054bbaee0ab650ccca480007a467

SHA1
c892bf3c04d19f5aebf9c4e52773e5b3baf846ca

SHA256
69f9732506342df1c05d7484be2fce49c2b6e56ffb30a3a6e1dc9dc0e5067814

SHA512
a1ac555cbc6454f156eb1637c420ed8cf92a1bc40334f221e8ea4eafb7698d23a640aae969c8acca9666cdf859f2f4c702c36405b0e4185edb8a78bde3b66f55

Download Submit
memory/316-136-0x0000000000000000-mapping.dmp

Download
memory/332-122-0x0000000000000000-mapping.dmp

Download
memory/640-138-0x0000000000000000-mapping.dmp

Download
memory/848-131-0x0000000000000000-mapping.dmp

Download
memory/896-137-0x0000000000000000-mapping.dmp

Download
memory/1008-143-0x0000000000000000-mapping.dmp

Download
memory/1008-125-0x0000000000000000-mapping.dmp

Download
memory/1164-129-0x0000000000000000-mapping.dmp

Download
memory/1292-141-0x0000000000000000-mapping.dmp

Download
memory/1324-130-0x0000000000000000-mapping.dmp

Download
memory/1388-109-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/1388-77-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1388-149-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1388-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000670000-0x0000000000683000-memory.dmp

Filesize
76KB

Download
memory/1388-64-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1388-69-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1388-119-0x0000000002380000-0x0000000002523000-memory.dmp

Filesize
1.6MB

Download
memory/1388-117-0x0000000073D31000-0x0000000073D33000-memory.dmp

Filesize
8KB

Download
memory/1388-132-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1388-85-0x0000000001FF0000-0x0000000002001000-memory.dmp

Filesize
68KB

Download
memory/1388-54-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1388-93-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

Filesize
64KB

Download
memory/1388-101-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/1448-133-0x0000000000000000-mapping.dmp

Download
memory/1536-123-0x0000000000000000-mapping.dmp

Download
memory/1540-124-0x0000000000000000-mapping.dmp

Download
memory/1556-146-0x0000000000000000-mapping.dmp

Download
memory/1680-126-0x0000000000000000-mapping.dmp

Download
memory/1680-147-0x0000000000000000-mapping.dmp

Download
memory/1820-127-0x0000000000000000-mapping.dmp

Download
memory/1824-135-0x0000000000000000-mapping.dmp

Download
memory/1868-121-0x0000000000000000-mapping.dmp

Download
memory/2016-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads