Analysis
-
max time kernel
278s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:50
Behavioral task
behavioral1
Sample
Activator/ConsoleAct_2.3.exe
Resource
win7-20231023-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Activator/ConsoleAct_2.3.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
Activator/Microsoft_Toolkit_2.6.4.exe
Resource
win7-20231023-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
Activator/Microsoft_Toolkit_2.6.4.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral5
Sample
Activator/W10_Digital_Activation_1.3.7.exe
Resource
win7-20231023-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
Activator/W10_Digital_Activation_1.3.7.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
Activator/ConsoleAct_2.3.exe
-
Size
856KB
-
MD5
e5b2c576f778dbfd501d7b3dc29d1c89
-
SHA1
0d7a583ace8a0c598dde33b0b4fc8c3b74111fbd
-
SHA256
3bb2533f9465a9c3e8e0c4491a194fe139aefb0c75e91537fb2b1b59e66ec43a
-
SHA512
dfbbff1cdef6412a448a4ea63796c3e09dc25bbbb163a9c1da38342478c2c31f2b7e4f6b184fb52b841c0540b859f871b3e3001bf8132fc6fcd81f6f57911aab
-
SSDEEP
24576:nJr6ro7aR6pqUxfop9228fRrcoH3y/+3fT92:nJrb7aYYUx02227y/+PTU
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1424-0-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-1-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-4-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-5-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-6-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-8-0x0000000140000000-0x00000001401E4000-memory.dmp upx behavioral2/memory/1424-9-0x0000000140000000-0x00000001401E4000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 444 WMIC.exe Token: SeSecurityPrivilege 444 WMIC.exe Token: SeTakeOwnershipPrivilege 444 WMIC.exe Token: SeLoadDriverPrivilege 444 WMIC.exe Token: SeSystemProfilePrivilege 444 WMIC.exe Token: SeSystemtimePrivilege 444 WMIC.exe Token: SeProfSingleProcessPrivilege 444 WMIC.exe Token: SeIncBasePriorityPrivilege 444 WMIC.exe Token: SeCreatePagefilePrivilege 444 WMIC.exe Token: SeBackupPrivilege 444 WMIC.exe Token: SeRestorePrivilege 444 WMIC.exe Token: SeShutdownPrivilege 444 WMIC.exe Token: SeDebugPrivilege 444 WMIC.exe Token: SeSystemEnvironmentPrivilege 444 WMIC.exe Token: SeRemoteShutdownPrivilege 444 WMIC.exe Token: SeUndockPrivilege 444 WMIC.exe Token: SeManageVolumePrivilege 444 WMIC.exe Token: 33 444 WMIC.exe Token: 34 444 WMIC.exe Token: 35 444 WMIC.exe Token: 36 444 WMIC.exe Token: SeIncreaseQuotaPrivilege 444 WMIC.exe Token: SeSecurityPrivilege 444 WMIC.exe Token: SeTakeOwnershipPrivilege 444 WMIC.exe Token: SeLoadDriverPrivilege 444 WMIC.exe Token: SeSystemProfilePrivilege 444 WMIC.exe Token: SeSystemtimePrivilege 444 WMIC.exe Token: SeProfSingleProcessPrivilege 444 WMIC.exe Token: SeIncBasePriorityPrivilege 444 WMIC.exe Token: SeCreatePagefilePrivilege 444 WMIC.exe Token: SeBackupPrivilege 444 WMIC.exe Token: SeRestorePrivilege 444 WMIC.exe Token: SeShutdownPrivilege 444 WMIC.exe Token: SeDebugPrivilege 444 WMIC.exe Token: SeSystemEnvironmentPrivilege 444 WMIC.exe Token: SeRemoteShutdownPrivilege 444 WMIC.exe Token: SeUndockPrivilege 444 WMIC.exe Token: SeManageVolumePrivilege 444 WMIC.exe Token: 33 444 WMIC.exe Token: 34 444 WMIC.exe Token: 35 444 WMIC.exe Token: 36 444 WMIC.exe Token: SeIncreaseQuotaPrivilege 2152 WMIC.exe Token: SeSecurityPrivilege 2152 WMIC.exe Token: SeTakeOwnershipPrivilege 2152 WMIC.exe Token: SeLoadDriverPrivilege 2152 WMIC.exe Token: SeSystemProfilePrivilege 2152 WMIC.exe Token: SeSystemtimePrivilege 2152 WMIC.exe Token: SeProfSingleProcessPrivilege 2152 WMIC.exe Token: SeIncBasePriorityPrivilege 2152 WMIC.exe Token: SeCreatePagefilePrivilege 2152 WMIC.exe Token: SeBackupPrivilege 2152 WMIC.exe Token: SeRestorePrivilege 2152 WMIC.exe Token: SeShutdownPrivilege 2152 WMIC.exe Token: SeDebugPrivilege 2152 WMIC.exe Token: SeSystemEnvironmentPrivilege 2152 WMIC.exe Token: SeRemoteShutdownPrivilege 2152 WMIC.exe Token: SeUndockPrivilege 2152 WMIC.exe Token: SeManageVolumePrivilege 2152 WMIC.exe Token: 33 2152 WMIC.exe Token: 34 2152 WMIC.exe Token: 35 2152 WMIC.exe Token: 36 2152 WMIC.exe Token: SeIncreaseQuotaPrivilege 2152 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1424 wrote to memory of 4732 1424 ConsoleAct_2.3.exe 88 PID 1424 wrote to memory of 4732 1424 ConsoleAct_2.3.exe 88 PID 1424 wrote to memory of 892 1424 ConsoleAct_2.3.exe 90 PID 1424 wrote to memory of 892 1424 ConsoleAct_2.3.exe 90 PID 4732 wrote to memory of 444 4732 cmd.exe 91 PID 4732 wrote to memory of 444 4732 cmd.exe 91 PID 1424 wrote to memory of 1476 1424 ConsoleAct_2.3.exe 95 PID 1424 wrote to memory of 1476 1424 ConsoleAct_2.3.exe 95 PID 1476 wrote to memory of 2152 1476 cmd.exe 97 PID 1476 wrote to memory of 2152 1476 cmd.exe 97 PID 1424 wrote to memory of 4408 1424 ConsoleAct_2.3.exe 98 PID 1424 wrote to memory of 4408 1424 ConsoleAct_2.3.exe 98 PID 4408 wrote to memory of 2508 4408 cmd.exe 100 PID 4408 wrote to memory of 2508 4408 cmd.exe 100 PID 1424 wrote to memory of 2248 1424 ConsoleAct_2.3.exe 102 PID 1424 wrote to memory of 2248 1424 ConsoleAct_2.3.exe 102 PID 2248 wrote to memory of 4832 2248 cmd.exe 103 PID 2248 wrote to memory of 4832 2248 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&12⤵PID:892
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\Act.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\Act.dll"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"3⤵PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"3⤵PID:4832
-
-