Overview

overview

8

Static

static

7

Activator/...ot.cmd

windows7-x64

1

Activator/...ot.cmd

windows10-2004-x64

8

Activator/...or.cmd

windows7-x64

8

Activator/...or.cmd

windows10-2004-x64

8

Activator/...ce.cmd

windows7-x64

8

Activator/...ce.cmd

windows10-2004-x64

8

Activator/...ws.cmd

windows7-x64

1

Activator/...ws.cmd

windows10-2004-x64

8

Activator/...TO.exe

windows7-x64

7

Activator/...TO.exe

windows10-2004-x64

7

Activator/...or.lnk

windows7-x64

1

Activator/...or.lnk

windows10-2004-x64

1

Activator/...er.exe

windows7-x64

1

Activator/...er.exe

windows10-2004-x64

1

Activator/...it.exe

windows7-x64

7

Activator/...it.exe

windows10-2004-x64

7

mini-KMS_A...NG.exe

windows7-x64

7

mini-KMS_A...NG.exe

windows10-2004-x64

7

mini-KMS_A...US.exe

windows7-x64

7

mini-KMS_A...US.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa51dec6e30770fa9070ad824638a1fff5979d9fb8263776cea35ba88a8a6268.zip.zip

  • Size

    4.1MB

  • Sample

    231107-rwhxzsbc47

  • MD5

    6206e2b7227cc12d682cb5bf62fc3136

  • SHA1

    ecc075f708719afa856219a2dd6022bbdbcc2671

  • SHA256

    fd88ca3df8d66708e121b661fc3028fd0dfc275e88c64b8ed34b0b9b9c04b6d2

  • SHA512

    a03aed06ce5cdbf108b247433fec34d037162bdd4c6962670aec82ea6cd0da5d67ef150ddba2c32fa51806453698e34f0d5c8905b5c8cbce3caf3bab187c58eb

  • SSDEEP

    98304:VzA5Uz0hMQBbHpAJZQVF4w1rqBvKnvEv2cTOGlKG6uHatH0Z7ZR38bE:Vc500a8m4NvJ+uGt6tH0Z7go

Score
8/10
evasionpersistenceupx

Malware Config

Targets

    • Target

      Activator/ActivationNextBoot.cmd

    • Size

      1KB

    • MD5

      c99d72a4e9bc43543aac21da48e99aac

    • SHA1

      949edb7bac0cae8113eb34ada56b572d83f9f39b

    • SHA256

      ea68e8f2a77b3c180734927c2be02e3452de5fbd9c4b60e3d703ad5ab088e0a0

    • SHA512

      ea4312b6f9f2d61389d3dc743fea66a5de8083153bc82df2c4e5002518a48e8d162803027223889ebd8ae1b0adcc3e1fcd4b523c2a321497e64f6dbd1955f7ae

    Score
    8/10
    evasionpersistence

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      Activator/Activator.cmd

    • Size

      6KB

    • MD5

      dc603dbdb0818d657710bd9a1d6f4dc1

    • SHA1

      31cded88de90b948a10e7e7c9cb474d1434d1daa

    • SHA256

      13f30eebeda0ddda8eed126a1c7026c27cf88930d0f2a736a8375f913de27d34

    • SHA512

      64cd9fdd6f15f0fbd02d5db16d5b6ac1d7ae07ff83dd8891d561391937c7034c34298174f5a165747afa8f9bd289955d388be0c4b62b8136a2b512561ad760a3

    • SSDEEP

      96:iwprDba0kIEaiFlq4BwguGDukcF8zhPpi+4yH6dv7F0tvsmGv26FdJv30i0/Bf/f:6I2PqaTLePyH0v7QvsRvvpv3HriKFby

    Score
    8/10
    evasionpersistenceupx

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral3behavioral4

    • Target

      Activator/ActivatorOffice.cmd

    • Size

      1KB

    • MD5

      ebbf03821a2ea04ec5fb06f48675c239

    • SHA1

      154f3c4ab5bb3e46d22bbdc8f838328bdd787953

    • SHA256

      95c71bf19deb184b03124b3dbbcbbe0c98e9591eaaf249ace0eeec87ed9cb75a

    • SHA512

      6da1d2459e2428801c7405035dc5473a29b9246bec7373e92a7c96e26dcc6920359ea8b65fe7943413842c68e60750449ba5e4d6f67509e369e21dd21cde0f7d

    Score
    8/10
    evasionpersistenceupx

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral5behavioral6

    • Target

      Activator/ActivatorWindows.cmd

    • Size

      4KB

    • MD5

      60ad31f88dc50283ad7acedc7d8ef9a0

    • SHA1

      93be2e8b6e1c748c7739ac42faff8e3d3eabf7dd

    • SHA256

      5a93eb2bf9e6fb38edf42aae69007cec41360c80d982925dadd54e981ca6f9e1

    • SHA512

      ad36fb6d62bc235132e1d7380588a0f96efd2f888b4eb2e1f3bbd0d10cd8f7bee380ea59d3ad98af9ceb0c2318fed40b897ef0d51a081459350b673b9cab28a7

    • SSDEEP

      96:TLwprDbaDEa+lq4bi0/BO/B5/BZJS7LAA8zhPpi+4yH6dv7F0tvsmGv26FdJvTy:TjuqoyH0v7QvsRvvpvm

    Score
    8/10
    evasionpersistenceupx

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral7behavioral8

    • Target

      Activator/KMSAuto/KMSAUTO.EXE

    • Size

      6.2MB

    • MD5

      aa2aa549dc7c6c91ab61a06fa5a6c4e8

    • SHA1

      03cb8a9599d4e1e9ad4ccc23b644bbbfc41178eb

    • SHA256

      b4523b3fb41f739a59b55a955801037afccd193b8cc78e02f3ed1cefc6cb1680

    • SHA512

      53c7c5c9015bff6a9e5e2690bb3b6d7cfa13f1ad9b197aac2a75a3685d57f466cfc1b73a6dbc7a01f2ce688a4ae54776e02c5ab2fe164f83aac9a7b95d549e31

    • SSDEEP

      196608:TAywxyw7iywnNywwywHywWywbywmIiyw7Lzz:TdwMw7fwwwtwSwLwewhw7Lzz

    Score
    7/10

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      Activator/KMSAuto/KMSAuto - Windows & Office Activator.lnk

    • Size

      1KB

    • MD5

      a797ceb9770c3d36d23c8f16dc46a108

    • SHA1

      e46acc5ded3f8c121c424a4644f1f80359ca529f

    • SHA256

      25967436570d5aea257ee268b86eda2cfcf3a698a5bdcf09a0cb903d9aa3aea2

    • SHA512

      427aa1d5c83b21ea3a0c9694d0ed3fa96e933fa4f28b65cfd3e5c1775d0d900b7556c3571683aa025eb701d0607b117292b4a37becf96f4a80171b28cd53b5db

    Score
    1/10
    behavioral11behavioral12

    • Target

      Activator/KMSAuto/KMSCleaner.exe

    • Size

      581KB

    • MD5

      13ea767a7ba607744ebea7409b9f8649

    • SHA1

      756b3b1b4fd159256af48c9c295ebf4a25adfc21

    • SHA256

      a6e2cdc0e9426d50bd72d866bfc80e0fba941efb3ae6d1c564d409f57d1eb117

    • SHA512

      6487b630966ce1aa1ac73554e017bb436cbfd7d4390ac60f21743309a64bf8ffb999530c930cb9eca916a6b307e6e839bb41f4a7d2cc762e97b9c806c0bff322

    • SSDEEP

      6144:V43VpNSujUhXpLuB02+Dj7l3YQRmNv2MECnw1qT+TBo4iuprQiRTj8BtB8b5N1uV:VeVpN/j8LwayN3nQ8+T9VToBjW5NQK8D

    Score
    1/10
    behavioral13behavioral14

    • Target

      Activator/KMSAuto/Wait.exe

    • Size

      296KB

    • MD5

      a85ffd89412b9dd747435d65f822cfd9

    • SHA1

      d16fa8997822780310389be8e728e517e48a5cb6

    • SHA256

      d3a8f9fb39d916af178d3506ad4909211283961a47b8aab63b7b81267bd248f1

    • SHA512

      cbbfd956262e7de2c20df2dbb3bf7630594db8acdb18c988751449b4bc338534c09ecc50da739dde97d20450f24fad749a235e605c3de1773644a567b51f98d6

    • SSDEEP

      6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIN:UzcRD02J4Sq2vHGB67KWKKmDV

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral15behavioral16

    • Target

      mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe

    • Size

      1.0MB

    • MD5

      b18903f14c92f3b9d3d08ca13a39efdd

    • SHA1

      d146af98eb5ce7a3ecbff8163eef002458a1f442

    • SHA256

      aa00aad043d88370e5225a1dabae3ea49cc703a9575edd41f24263b013c2f949

    • SHA512

      ea179a625c8fe9eeec5920fbfb868966c6605b61ca1e1421697682b9a703bb46107fb8db3acd46fae50b97506055e5dbdf9fd16119ec97fad5bc794e41bfa182

    • SSDEEP

      24576:+PQRqBbikTHaaS3imkNQo1mLw+N4HtSzxGp1XCStb6ZDKb:LpoHar3BMQoEBu6UpNtoDKb

    Score
    7/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe

    • Size

      1.0MB

    • MD5

      dd3ff103d7709467ac1390ab02eaca2c

    • SHA1

      3020916fc4f7e073abb12333bfe32d9f1da85181

    • SHA256

      b9ce9d101438ef819a5ac844f4ce4cd54f15686ae8cc47c3d2e669d275129d20

    • SHA512

      222a66a69848dbf5273614ef81eebd71aa11b4b0ef93c544edcb198a13869583d07f95f0bd25dd7f7efae018ebf20f4ca2551c86fce6daf5851e396bb66adef0

    • SSDEEP

      24576:qPQRqBbikTHaaS3imkNQo1mLw+N4HtSzxGp1XCStb6ZDK:vpoHar3BMQoEBu6UpNtoDK

    Score
    7/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks