Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
07-11-2023 14:32
General
-
Target
Activator/ActivatorWindows.cmd
-
Size
4KB
-
MD5
60ad31f88dc50283ad7acedc7d8ef9a0
-
SHA1
93be2e8b6e1c748c7739ac42faff8e3d3eabf7dd
-
SHA256
5a93eb2bf9e6fb38edf42aae69007cec41360c80d982925dadd54e981ca6f9e1
-
SHA512
ad36fb6d62bc235132e1d7380588a0f96efd2f888b4eb2e1f3bbd0d10cd8f7bee380ea59d3ad98af9ceb0c2318fed40b897ef0d51a081459350b673b9cab28a7
-
SSDEEP
96:TLwprDbaDEa+lq4bi0/BO/B5/BZJS7LAA8zhPpi+4yH6dv7F0tvsmGv26FdJvTy:TjuqoyH0v7QvsRvvpvm
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 4 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivatorWindows.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\cscript.exeCSCRIPT C:\Windows\system32\slmgr.vbs -dli2⤵
-
-
C:\Windows\system32\findstr.exeFINDSTR "Licensed ½¿µÑ¡º¿ε"2⤵
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName2⤵
-
-
C:\Windows\system32\findstr.exeFINDSTR /i 72⤵
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName2⤵
-
-
C:\Windows\system32\findstr.exeFINDSTR /i 102⤵
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID2⤵
-
-
C:\Windows\system32\findstr.exeFINDSTR /i "Professional"2⤵
-
-
C:\Windows\system32\cscript.exeCSCRIPT slmgr /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /win=act /sched=win2⤵
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /end /TN KMSAuto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /end /TN KMSAuto4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /delete /TN KMSAuto /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /TN KMSAuto /F4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\KMSAuto\bin.datbin.dat -y -pkmsauto4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto3⤵
-
C:\Windows\Temp\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 184.180.5.179 0.0.0.0 IF 13⤵
-
C:\Windows\system32\ROUTE.EXEroute.exe -p add 184.180.5.179 0.0.0.0 IF 14⤵
-
-
-
C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe"FakeClient.exe" 184.180.5.1793⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:184.180.5.179 /PRT:1688 /ACT:WIN3⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:184.180.5.179 /PRT:1688 /ACT:WIN4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route delete 184.180.5.179 0.0.0.03⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 184.180.5.179 0.0.0.04⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill.exe /t /f /IM FakeClient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.13⤵
-
C:\Windows\system32\sc.exesc.exe stop WinDivert1.14⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.13⤵
-
C:\Windows\system32\sc.exesc.exe delete WinDivert1.14⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAutoWindows.xml" /TN "KMSAuto"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Temp\KMSAuto\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59f26a04ccb1cd3d164892680e6739051
SHA1611beaf43c6bf4e79fb69b663977d5d231f1bc25
SHA256d36202cc8dfee7c83265751eb6d9a9603ca626f0e35bc41fa7fd98999c8e5b83
SHA5128bdec4e31308b1dca3bd4b8c56be3db7c38d79f411a106d4176490e5afc15466e39e12dab89109160fff19e1f45c66266dc9a7cebe8c0f32d5e70b77c10e4a68
-
Filesize
3KB
MD5d1300660f5b81694082a9a1b919b1973
SHA12fe15955ecc2bbb81bdb8669ec4b8a18b59e86e4
SHA2561a3b44d5e1b20f6cfbce58772f34c8360e0a3a8fb7612b1b0c7d6f51fed7bfec
SHA512af87801992ca509210bd779ba27f53f335d5280b83c5aa35434d567c44d3ee412ae8c7f49744f07aded3d099aedc565d639059473c4c98b9ef4793ef0107f952
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
82KB
MD51e279e2ef92662bded2c7fd781306a73
SHA170da7979881b6a3b78c655b08de3c2aad8e60a10
SHA256a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a
SHA5128afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
151B
MD5a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
Filesize
34KB
MD5a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB