Analysis
-
max time kernel
146s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
07-11-2023 14:32
General
-
Target
Activator/ActivatorOffice.cmd
-
Size
1KB
-
MD5
ebbf03821a2ea04ec5fb06f48675c239
-
SHA1
154f3c4ab5bb3e46d22bbdc8f838328bdd787953
-
SHA256
95c71bf19deb184b03124b3dbbcbbe0c98e9591eaaf249ace0eeec87ed9cb75a
-
SHA512
6da1d2459e2428801c7405035dc5473a29b9246bec7373e92a7c96e26dcc6920359ea8b65fe7943413842c68e60750449ba5e4d6f67509e369e21dd21cde0f7d
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 4 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivatorOffice.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /ofs=act /sched=ofs /ofsgvlk=inst /ofs=conv2⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /end /TN KMSAuto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /end /TN KMSAuto4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /delete /TN KMSAuto /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /TN KMSAuto /F4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\KMSAuto\bin.datbin.dat -y -pkmsauto4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto3⤵
-
C:\Windows\Temp\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 139.121.94.166 0.0.0.0 IF 13⤵
-
C:\Windows\system32\ROUTE.EXEroute.exe -p add 139.121.94.166 0.0.0.0 IF 14⤵
-
-
-
C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe"FakeClient.exe" 139.121.94.1663⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:139.121.94.166 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS3⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:139.121.94.166 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route delete 139.121.94.166 0.0.0.03⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 139.121.94.166 0.0.0.04⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill.exe /t /f /IM FakeClient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.13⤵
-
C:\Windows\system32\sc.exesc.exe stop WinDivert1.14⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.13⤵
-
C:\Windows\system32\sc.exesc.exe delete WinDivert1.14⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAutoOffice.xml" /TN "KMSAuto"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Temp\KMSAuto\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b1d1b96a65ea2720588fc42787287f0a
SHA1c4f6ee33e424e8136aad018b13b154b35de4a52f
SHA2560ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc
SHA512f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2
-
Filesize
3KB
MD5b1d1b96a65ea2720588fc42787287f0a
SHA1c4f6ee33e424e8136aad018b13b154b35de4a52f
SHA2560ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc
SHA512f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
82KB
MD51e279e2ef92662bded2c7fd781306a73
SHA170da7979881b6a3b78c655b08de3c2aad8e60a10
SHA256a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a
SHA5128afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
151B
MD5a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
Filesize
34KB
MD5a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB