Analysis

  • max time kernel
    278s
  • max time network
    315s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 14:50 UTC

General

  • Target

    Activator/ConsoleAct_2.3.exe

  • Size

    856KB

  • MD5

    e5b2c576f778dbfd501d7b3dc29d1c89

  • SHA1

    0d7a583ace8a0c598dde33b0b4fc8c3b74111fbd

  • SHA256

    3bb2533f9465a9c3e8e0c4491a194fe139aefb0c75e91537fb2b1b59e66ec43a

  • SHA512

    dfbbff1cdef6412a448a4ea63796c3e09dc25bbbb163a9c1da38342478c2c31f2b7e4f6b184fb52b841c0540b859f871b3e3001bf8132fc6fcd81f6f57911aab

  • SSDEEP

    24576:nJr6ro7aR6pqUxfop9228fRrcoH3y/+3fT92:nJrb7aYYUx02227y/+PTU

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\ConsoleAct_2.3.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
      2⤵
        PID:892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\Act.dll"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activator\Act.dll"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
          3⤵
            PID:2508
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\System32\Wbem\WMIC.exe
            WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
            3⤵
              PID:4832

        Network

        • flag-us
          DNS
          76.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          76.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          133.113.22.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.113.22.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          21.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          21.236.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          51.86.100.95.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          51.86.100.95.in-addr.arpa
          IN PTR
          Response
          51.86.100.95.in-addr.arpa
          IN PTR
          a95-100-86-51deploystaticakamaitechnologiescom
        • flag-us
          DNS
          5.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          5.173.189.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          183.59.114.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          183.59.114.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          219.74.101.95.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          219.74.101.95.in-addr.arpa
          IN PTR
          Response
          219.74.101.95.in-addr.arpa
          IN PTR
          a95-101-74-219deploystaticakamaitechnologiescom
        • flag-us
          DNS
          23.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          226.173.246.72.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          226.173.246.72.in-addr.arpa
          IN PTR
          Response
          226.173.246.72.in-addr.arpa
          IN PTR
          a72-246-173-226deploystaticakamaitechnologiescom
        No results found
        • 8.8.8.8:53
          76.32.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          76.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          133.113.22.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          133.113.22.20.in-addr.arpa

        • 8.8.8.8:53
          21.236.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          21.236.111.52.in-addr.arpa

        • 8.8.8.8:53
          51.86.100.95.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          51.86.100.95.in-addr.arpa

        • 8.8.8.8:53
          5.173.189.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          5.173.189.20.in-addr.arpa

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        • 8.8.8.8:53
          183.59.114.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          183.59.114.20.in-addr.arpa

        • 8.8.8.8:53
          219.74.101.95.in-addr.arpa
          dns
          72 B
          137 B
          1
          1

          DNS Request

          219.74.101.95.in-addr.arpa

        • 8.8.8.8:53
          23.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          23.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          226.173.246.72.in-addr.arpa
          dns
          73 B
          139 B
          1
          1

          DNS Request

          226.173.246.72.in-addr.arpa

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1424-0-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-1-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-4-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-5-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-6-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-8-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        • memory/1424-9-0x0000000140000000-0x00000001401E4000-memory.dmp

          Filesize

          1.9MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.