Analysis
-
max time kernel
67s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 23:30
Errors
General
-
Target
Windows 7 Activation.exe
-
Size
3.8MB
-
MD5
3976bd5fcbb7cd13f0c12bb69afc2adc
-
SHA1
3b6bdca414a53df7c8c5096b953c4df87a1091c7
-
SHA256
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
-
SHA512
0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341
-
SSDEEP
49152:wEYCFEfn+4NWcNKg/ngk4mY0bI1Wymfgvn81yJffTpuWV355FXw/+cuWV355FXwm:wEYz38cgg/ngk4mYfA7fgvn812nv
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1484 takeown.exe 692 icacls.exe 572 takeown.exe 1596 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows 7 Activation.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows 7 Activation.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Windows 7 Activation.exe -
Executes dropped EXE 1 IoCs
Processes:
bootsect.exepid process 1604 bootsect.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1484 takeown.exe 692 icacls.exe 572 takeown.exe 1596 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1260-116-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1260-118-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1260-119-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1260-120-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1260-121-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/1260-139-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Windows 7 Activation.exedescription ioc process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Windows 7 Activation.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Windows 7 Activation.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows 7 Activation.exepid process 1260 Windows 7 Activation.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Windows 7 Activation.exeAUDIODG.EXEtakeown.exetakeown.exeshutdown.exedescription pid process Token: 33 1260 Windows 7 Activation.exe Token: SeIncBasePriorityPrivilege 1260 Windows 7 Activation.exe Token: 33 1260 Windows 7 Activation.exe Token: SeIncBasePriorityPrivilege 1260 Windows 7 Activation.exe Token: 33 1736 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1736 AUDIODG.EXE Token: 33 1736 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1736 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 1484 takeown.exe Token: SeTakeOwnershipPrivilege 572 takeown.exe Token: SeShutdownPrivilege 1176 shutdown.exe Token: SeRemoteShutdownPrivilege 1176 shutdown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Windows 7 Activation.exepid process 1260 Windows 7 Activation.exe 1260 Windows 7 Activation.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Windows 7 Activation.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1260 wrote to memory of 1488 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1488 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1488 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1488 1260 Windows 7 Activation.exe cmd.exe PID 1488 wrote to memory of 1480 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 1480 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 1480 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 1480 1488 cmd.exe cmd.exe PID 1480 wrote to memory of 1484 1480 cmd.exe takeown.exe PID 1480 wrote to memory of 1484 1480 cmd.exe takeown.exe PID 1480 wrote to memory of 1484 1480 cmd.exe takeown.exe PID 1480 wrote to memory of 1484 1480 cmd.exe takeown.exe PID 1260 wrote to memory of 1640 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1640 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1640 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1640 1260 Windows 7 Activation.exe cmd.exe PID 1640 wrote to memory of 692 1640 cmd.exe icacls.exe PID 1640 wrote to memory of 692 1640 cmd.exe icacls.exe PID 1640 wrote to memory of 692 1640 cmd.exe icacls.exe PID 1640 wrote to memory of 692 1640 cmd.exe icacls.exe PID 1260 wrote to memory of 1768 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1768 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1768 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1768 1260 Windows 7 Activation.exe cmd.exe PID 1768 wrote to memory of 844 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 844 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 844 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 844 1768 cmd.exe cmd.exe PID 844 wrote to memory of 572 844 cmd.exe takeown.exe PID 844 wrote to memory of 572 844 cmd.exe takeown.exe PID 844 wrote to memory of 572 844 cmd.exe takeown.exe PID 844 wrote to memory of 572 844 cmd.exe takeown.exe PID 1260 wrote to memory of 1752 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1752 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1752 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1752 1260 Windows 7 Activation.exe cmd.exe PID 1752 wrote to memory of 1596 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1596 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1596 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1596 1752 cmd.exe icacls.exe PID 1260 wrote to memory of 556 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 556 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 556 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 556 1260 Windows 7 Activation.exe cmd.exe PID 556 wrote to memory of 1880 556 cmd.exe cscript.exe PID 556 wrote to memory of 1880 556 cmd.exe cscript.exe PID 556 wrote to memory of 1880 556 cmd.exe cscript.exe PID 1260 wrote to memory of 1348 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1348 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1348 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1348 1260 Windows 7 Activation.exe cmd.exe PID 1348 wrote to memory of 324 1348 cmd.exe cscript.exe PID 1348 wrote to memory of 324 1348 cmd.exe cscript.exe PID 1348 wrote to memory of 324 1348 cmd.exe cscript.exe PID 1260 wrote to memory of 1636 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1636 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1636 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1636 1260 Windows 7 Activation.exe cmd.exe PID 1636 wrote to memory of 1884 1636 cmd.exe compact.exe PID 1636 wrote to memory of 1884 1636 cmd.exe compact.exe PID 1636 wrote to memory of 1884 1636 cmd.exe compact.exe PID 1636 wrote to memory of 1884 1636 cmd.exe compact.exe PID 1260 wrote to memory of 1396 1260 Windows 7 Activation.exe cmd.exe PID 1260 wrote to memory of 1396 1260 Windows 7 Activation.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows 7 Activation.exe"C:\Users\Admin\AppData\Local\Temp\Windows 7 Activation.exe"1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"3⤵
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZ"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZ3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"2⤵
-
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "shutdown -r -t 0"2⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Acer.XRM-MSFilesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
C:\bootsect.exeFilesize
95KB
MD5b76595faf655de04068322c6874fe35c
SHA1a1d4c505a751b3cec5e6406d71c05e565663860e
SHA256d4cb7789433bf1316ef1bc26b789c297c70a58aad4e270f3a95e7349646412f4
SHA512e70040b37a5f52e154c6855ce19df0df020f3704a0329afe6b0696784b0f86efde5929575f2c26f7f6888eabde16967c04b60814e9304024378049a63c19342a
-
C:\bootsect.exeFilesize
95KB
MD5b76595faf655de04068322c6874fe35c
SHA1a1d4c505a751b3cec5e6406d71c05e565663860e
SHA256d4cb7789433bf1316ef1bc26b789c297c70a58aad4e270f3a95e7349646412f4
SHA512e70040b37a5f52e154c6855ce19df0df020f3704a0329afe6b0696784b0f86efde5929575f2c26f7f6888eabde16967c04b60814e9304024378049a63c19342a
-
\??\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZFilesize
286KB
MD57e242ce02d5cb24b331dcca0d453790a
SHA1ed04af39f495e60e26e7bd5ca3cc5c3cd47e7760
SHA25678ff5d2eaeb54d63ab2d4b8f912e20859efbed5630082f0c07c2738db88eb1f1
SHA512ea54e382c002d9ed916acebb52b7dbe49cf0241e7ba4097816ef02f9f5f5cec978e5e469bd7d5074965ecf69371bb24945bfe34f262e5282322288a09d796078
-
memory/980-138-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1260-91-0x0000000000780000-0x0000000000790000-memory.dmpFilesize
64KB
-
memory/1260-120-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-107-0x0000000002010000-0x0000000002030000-memory.dmpFilesize
128KB
-
memory/1260-116-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-117-0x00000000024B0000-0x000000000264A000-memory.dmpFilesize
1.6MB
-
memory/1260-118-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-119-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-99-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/1260-121-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-54-0x0000000000760000-0x0000000000773000-memory.dmpFilesize
76KB
-
memory/1260-83-0x0000000001FE0000-0x0000000001FF1000-memory.dmpFilesize
68KB
-
memory/1260-75-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1260-67-0x00000000007A0000-0x00000000007B2000-memory.dmpFilesize
72KB
-
memory/1260-139-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-62-0x0000000000630000-0x0000000000640000-memory.dmpFilesize
64KB
-
memory/1640-140-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB