Analysis
-
max time kernel
67s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
02-04-2023 23:30
Errors
General
-
Target
Windows 7 Activation.exe
-
Size
3.8MB
-
MD5
3976bd5fcbb7cd13f0c12bb69afc2adc
-
SHA1
3b6bdca414a53df7c8c5096b953c4df87a1091c7
-
SHA256
bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
-
SHA512
0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341
-
SSDEEP
49152:wEYCFEfn+4NWcNKg/ngk4mY0bI1Wymfgvn81yJffTpuWV355FXw/+cuWV355FXwm:wEYz38cgg/ngk4mYfA7fgvn812nv
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows 7 Activation.exe"C:\Users\Admin\AppData\Local\Temp\Windows 7 Activation.exe"1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"3⤵
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZ"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZ3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"2⤵
-
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "shutdown -r -t 0"2⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Acer.XRM-MSFilesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
C:\bootsect.exeFilesize
95KB
MD5b76595faf655de04068322c6874fe35c
SHA1a1d4c505a751b3cec5e6406d71c05e565663860e
SHA256d4cb7789433bf1316ef1bc26b789c297c70a58aad4e270f3a95e7349646412f4
SHA512e70040b37a5f52e154c6855ce19df0df020f3704a0329afe6b0696784b0f86efde5929575f2c26f7f6888eabde16967c04b60814e9304024378049a63c19342a
-
C:\bootsect.exeFilesize
95KB
MD5b76595faf655de04068322c6874fe35c
SHA1a1d4c505a751b3cec5e6406d71c05e565663860e
SHA256d4cb7789433bf1316ef1bc26b789c297c70a58aad4e270f3a95e7349646412f4
SHA512e70040b37a5f52e154c6855ce19df0df020f3704a0329afe6b0696784b0f86efde5929575f2c26f7f6888eabde16967c04b60814e9304024378049a63c19342a
-
\??\Volume{df1e4d43-b192-11ed-9598-806e6f6e6963}\ECDRZFilesize
286KB
MD57e242ce02d5cb24b331dcca0d453790a
SHA1ed04af39f495e60e26e7bd5ca3cc5c3cd47e7760
SHA25678ff5d2eaeb54d63ab2d4b8f912e20859efbed5630082f0c07c2738db88eb1f1
SHA512ea54e382c002d9ed916acebb52b7dbe49cf0241e7ba4097816ef02f9f5f5cec978e5e469bd7d5074965ecf69371bb24945bfe34f262e5282322288a09d796078
-
memory/980-138-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1260-91-0x0000000000780000-0x0000000000790000-memory.dmpFilesize
64KB
-
memory/1260-120-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-107-0x0000000002010000-0x0000000002030000-memory.dmpFilesize
128KB
-
memory/1260-116-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-117-0x00000000024B0000-0x000000000264A000-memory.dmpFilesize
1.6MB
-
memory/1260-118-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-119-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-99-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/1260-121-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-54-0x0000000000760000-0x0000000000773000-memory.dmpFilesize
76KB
-
memory/1260-83-0x0000000001FE0000-0x0000000001FF1000-memory.dmpFilesize
68KB
-
memory/1260-75-0x0000000010000000-0x0000000010021000-memory.dmpFilesize
132KB
-
memory/1260-67-0x00000000007A0000-0x00000000007B2000-memory.dmpFilesize
72KB
-
memory/1260-139-0x0000000000400000-0x0000000000623000-memory.dmpFilesize
2.1MB
-
memory/1260-62-0x0000000000630000-0x0000000000640000-memory.dmpFilesize
64KB
-
memory/1640-140-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB