12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f

Analysis

max time kernel
102s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
Size

1.1MB
MD5

3528d9ced53167c7ccebd341317003bd
SHA1

661a09db9e54cbddd8fe975f744198fe10fabec2
SHA256

12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f
SHA512

b12ab84b2e97ed6fcb1ec00b72e724261ad87eb7e5f231774e3b9e454e63e904d1f3a9ed56ae22949f5be8eb1e20e26bc8372f3cecaa87a8b90685c7595a4b7a
SSDEEP

24576:QaHMv6Corjqny/Qq7sh01NNbPq6rcvLPdGWl:Q1vqjd/Qq7shYdyLPdB

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
548	netsh.exe
1196	netsh.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1244	sc.exe
628	sc.exe
1792	sc.exe
692	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1196	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	28
PID 1364 wrote to memory of 1196	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	28
PID 1364 wrote to memory of 1196	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	28
PID 1364 wrote to memory of 1196	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	28
PID 1364 wrote to memory of 548	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	30
PID 1364 wrote to memory of 548	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	30
PID 1364 wrote to memory of 548	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	30
PID 1364 wrote to memory of 548	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	30
PID 1364 wrote to memory of 1792	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	32
PID 1364 wrote to memory of 1792	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	32
PID 1364 wrote to memory of 1792	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	32
PID 1364 wrote to memory of 1792	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	32
PID 1364 wrote to memory of 692	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	34
PID 1364 wrote to memory of 692	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	34
PID 1364 wrote to memory of 692	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	34
PID 1364 wrote to memory of 692	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	34
PID 1364 wrote to memory of 920	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	36
PID 1364 wrote to memory of 920	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	36
PID 1364 wrote to memory of 920	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	36
PID 1364 wrote to memory of 920	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	36
PID 1364 wrote to memory of 1244	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	39
PID 1364 wrote to memory of 1244	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	39
PID 1364 wrote to memory of 1244	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	39
PID 1364 wrote to memory of 1244	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	39
PID 1364 wrote to memory of 628	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	42
PID 1364 wrote to memory of 628	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	42
PID 1364 wrote to memory of 628	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	42
PID 1364 wrote to memory of 628	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	42
PID 1364 wrote to memory of 880	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	44
PID 1364 wrote to memory of 880	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	44
PID 1364 wrote to memory of 880	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	44
PID 1364 wrote to memory of 880	1364	12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe	44

C:\Users\Admin\AppData\Local\Temp\12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe
"C:\Users\Admin\AppData\Local\Temp\12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=aktivator dir=in program="C:\Users\Admin\AppData\Local\Temp\12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe" action=block
  2⤵
  - Modifies Windows Firewall
  PID:1196
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=aktivator dir=out program="C:\Users\Admin\AppData\Local\Temp\12589c822bd96fe55319df6c84904ddb3bd12d41ace5122d1676a47455816f1f.exe" action=block
  2⤵
  - Modifies Windows Firewall
  PID:548
- C:\Windows\SysWOW64\sc.exe
  sc start sppsvc
  2⤵
  - Launches sc.exe
  PID:1792
- C:\Windows\SysWOW64\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:692
- C:\Windows\SysWOW64\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\KMSVLACT\slmgr.vbs" /dli
  2⤵
  PID:920
- C:\Windows\SysWOW64\sc.exe
  sc start osppsvc
  2⤵
  - Launches sc.exe
  PID:1244
- C:\Windows\SysWOW64\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:628
- C:\Windows\SysWOW64\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\KMSVLACT\ospp.vbs" /dstatus
  2⤵
  PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KMSVLACT\ospp.vbs

Filesize
47KB

MD5
0d2463b9893ebc2b4b3aef7498c10954

SHA1
f04bd5a001e3e3704d253c1e2903bc51f19f8aaf

SHA256
8ecd463bf533da991e6df068edd392d57bd08b88d9531eb52abcdbd9e7064ed3

SHA512
3011ca344026902f8ce153f433583cca108a8af90e26fca21f1c3a0dc38530dea339e02944dbba86abab2d5c285a6891fbc575999f04df50ab6449092949f569

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSVLACT\slerror.xml

Filesize
32KB

MD5
df1ef05879e06c5f09f3e1022f37b5cb

SHA1
23aaac40baec28397bb59cfa584e165062d18506

SHA256
d49adf2dabbbf6aa43ce4e336af4f768207df75302ebf568a94a5350aac988c5

SHA512
78f0d21538483d3bac9d8b409554ac89a98a4943666f0ff88207831ab3e1d264c2efa0ea0e4703375aa15516809353f9b7477561a0a4ffe0b930b3e39f8b7e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSVLACT\slmgr.vbs

Filesize
110KB

MD5
7a62d50fa21f5db1e2dc32b96faaad96

SHA1
990d7568b4406986aa0aeb46244ca8ff7aa6b1cf

SHA256
ceacbe164006ab4ab271d27321269b47eb98d54481ea0fa6d47f0e60676911b1

SHA512
48cdf12ec2f91398b7eceff350814f1719d0888c84e5930e6432e2b008a3a515e534335e997957eea9354f45304005c7f8dd9aebc96f02e877b5b4fccc8e0e8b

Download Submit
memory/548-57-0x0000000000000000-mapping.dmp

Download
memory/628-65-0x0000000000000000-mapping.dmp

Download
memory/692-60-0x0000000000000000-mapping.dmp

Download
memory/880-66-0x0000000000000000-mapping.dmp

Download
memory/920-61-0x0000000000000000-mapping.dmp

Download
memory/1196-55-0x0000000000000000-mapping.dmp

Download
memory/1244-64-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/1792-59-0x0000000000000000-mapping.dmp

Download