b962ca4ab70ca86d848ab69b132d0a4c7be9dd2a134af921151e020bca1b32fd

Analysis

max time kernel
146s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Vista Activation/Activate.exe
Size

1.4MB
MD5

a24a3159f181f2b512ff7c76533ebb81
SHA1

6fd539c29d49659ebc043c8b8e3ef27095fd63db
SHA256

429fa50962dff9b6ed601b4926487c463a73043e9e6e5a420642412771faa6f8
SHA512

55e38b5d2dd2505a075ddccc8a855e7de90361cfde5b53dead18185f090172869a226c7e52b5d9e47f2ef76ec68a4db2d7bac6b90bc21a7ca780fec3e469c56e
SSDEEP

24576:/Qc5TVqCdqsoDthQs8KWuuLkQyQLO1D3rRJQXYeik9FPgvOt074doRxrrrrU8:/9AfiMiYdPRJQIe5qOt074doRxrrrrd

Score

10^/10

bootkit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe,"	Update.exe

Executes dropped EXE 3 IoCs

pid	Process
2756	Update.exe
2808	Activate.exe
2692	setup.exe

Loads dropped DLL 15 IoCs

pid	Process
2164	Activate.exe
2164	Activate.exe
2756	Update.exe
2756	Update.exe
2756	Update.exe
2808	Activate.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe
2692	setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Activate.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	Update.exe
File created	C:\Windows\SysWOW64\sdra64.exe	Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2164	2512	Activate.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	Update.exe
2756	Update.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	Activate.exe
2164	Activate.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2512 wrote to memory of 2164	2512	Activate.exe	28
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2756	2164	Activate.exe	29
PID 2164 wrote to memory of 2808	2164	Activate.exe	30
PID 2164 wrote to memory of 2808	2164	Activate.exe	30
PID 2164 wrote to memory of 2808	2164	Activate.exe	30
PID 2164 wrote to memory of 2808	2164	Activate.exe	30
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31
PID 2808 wrote to memory of 2692	2808	Activate.exe	31

C:\Users\Admin\AppData\Local\Temp\Windows Vista Activation\Activate.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Vista Activation\Activate.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\Windows Vista Activation\Activate.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Vista Activation\Activate.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\Activate.exe
    "C:\Users\Admin\AppData\Local\Temp\Activate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Activate.exe

Filesize
438KB

MD5
ac971f7a1713a1bbe25ba0b4569a5ba3

SHA1
f0a198e7395d8f3c61de42bb7efc7ec72c5deca8

SHA256
c15c61916a0ba1676eef451b206bad6132f9d2577d42074b4097201ca7a09b05

SHA512
192af35d630d3473ff0a9c3187071e25ae3536be1a198bce206237a1cc12d27f6cfbe57f63f8ac0f3c2d3348ddaba7593553e5a4a6559cca90e317914e80ec48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activate.exe

Filesize
451KB

MD5
6c26d5918fc3171f3e8903e3cf3290ee

SHA1
3011df490f2777242d040976a085f9725d46d5ed

SHA256
603077a6b6faf2ec015ba79a5d026a7933dde40755cd5e8207b4f23f1e50a7c0

SHA512
42df713f9a232af6ffa8a7869ab17607fe397bcb325c0bc48e3d598014b9b5dd49b29bc4f621db941fabbcc8f38873b4d09f2a540d39fed24b98e4069ebf8b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCR80.dll

Filesize
1KB

MD5
0560bbc0395495e5125cf331a4899f66

SHA1
dd1ef46248089ef53718cd4dc379af56ebfd76b6

SHA256
02547cf77d6b1269e2f0d4488f2009a2fd768190b76582052ef6870bf22530fa

SHA512
d37d974f3503e79050479217d05ab992f65a436fa578b4e1ceea6ca07a3834001da37591bbb37a92e7a56bec9f6ab4bf7ce0a6fd7aaad4186eeb659ae381e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcm80.dll

Filesize
29KB

MD5
b48745918b1339cc273abab450b2ddbb

SHA1
649915fe5391e97376a19605d5b4f5714c679d69

SHA256
c547e0547d6949dfa49efef14b3f4df0b619da9c30ce16fb98a31fece9181a63

SHA512
0c6c58c7bc05ecd8d73f1de58b42ef8c3b769feca9e4bd9958cd1f17d164c76751c20301aeee417a8d1c22e9eaab00aeef340acd8c3746eba2e0dfa2c9e232a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
130KB

MD5
566beae158bdbaeb1ce073db8127c85d

SHA1
c1f7c7b880c3930ca9ffad1a75f9653a5bd48c35

SHA256
12519daea7c52f02dcfcc8dbdd9468b88e2e3fa4f2bac66a72635b0e054e12bb

SHA512
a92b9086d2e27ce97dcd8e51a7841fa593df388be91dd7eb2464ffb5f8f2101093d9a2ac07877e67b46929d961d21a48e6d79b4fb167c7aa0f4d4e9bc9d308a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
103KB

MD5
118aeb38132ae2a9b315b813e6ed966f

SHA1
30245049277d1b3182a2e066bb13cf3adb9effb9

SHA256
5969307abbfa57aa2149c33d3094261d2637ef55133e34ae55d2746e327834b7

SHA512
868c9b29f328b1535ac0e15c7a006b317e99fcd1ee752e55a5a3163e4c881c816633c001596da1a35f70b4ef29c9ced6927b988e1a542444ccb7fe6d0a5a0aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
39KB

MD5
74296344f3d4a038bef3cb051696fd3f

SHA1
3ff5867d93923b2ec39623f901fd86807d540f3b

SHA256
8a43072da2c63bc8ec9b4962c0491b4c1de09b1505f08190c21772dabbde8622

SHA512
f5ae49aed93b90299803d38cdd0e93d6bfbca2eff701fd14d1af1e22880bd7878349c3a4851fae69d844ef9b27292b59896ee354cb26d7b73c25270a2b0b4aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
152KB

MD5
5ef7b156ac6c843df43a6d6341f7cfdb

SHA1
88182ec67cf31426662277123438bbae693d475b

SHA256
426e468c578c9fe18ce4dbb14692238763437c02239aaf573de3c090de7d26df

SHA512
b422c0e282f3321600f220c9008b8b8241af8ff1401e43f699ed681c5cb41e74888dffbb95371a2c83b337190162a11bb2ff0f9babebbbf6a26c892a99c86433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
1KB

MD5
23465e56e7e7a519ed0ac99572ba93df

SHA1
4d301d6517a76ea7b310f1bcab77a298e5eb5a52

SHA256
bfb3b73ec225068e7c649f4ca6c34020dc4927f5d7180c4b5cb5ed9cd71e40fa

SHA512
192c18f7a52fcf8c4c6f49ec773117a3132bf32a4c7f6c85707765a48557992fb9c6a5fa554a6be1d553d51dbf99d516b98592544a429ae9bc0732cfca773650

Download Submit
\Users\Admin\AppData\Local\Temp\Activate.exe

Filesize
591KB

MD5
3793d2c5bafe2a3fc2dc7bddf215da2c

SHA1
d74d386c88c03659c9e269a031eb139237ed61b6

SHA256
c2e68a0fe29aa5853c4c98bf089864729dc78ca4de99ccb214d2af427d550c4c

SHA512
641af6017f5b69691fcdf5a3048cdbc79c121d73fec4713d5fef65090849983d3e0d60e5f7d4599362efe46f0a33398d622d97f9e25ee0132ad5c1a9ecf7a7c0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msvcm80.dll

Filesize
49KB

MD5
3a3cecd65f601b030c824c09e0ae948d

SHA1
d4eb614ba4ea03ec8c55251eee6fb911fa34de7f

SHA256
49e4353c776048902b54e63067b99a4f7697f095e4e57a118ed0073f37782bdf

SHA512
703738524b606825637ce384b49955aab42091db9c07d8ba0872981c90477137ddd93ebbcedb8237765e82fb50f4925cc9e477d20ce1051a08e3dd712e8e38fb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msvcm80.dll

Filesize
1KB

MD5
07f5d4726adf1e9c775c4d83960b811b

SHA1
6335ff90f7121efef35caa623e72753d999f55ef

SHA256
0f5934c86be4f487bc962b3bee85c1437050add48249f67c3ced6f4d18fd7cb2

SHA512
6c8e2b5f25ac2eb75cf17fad0877f0769e3f84a56725702162264bfd6b5af236d4aed091d3978e25982d88febad2fdefd8827e9ae94c849547779d19bf19630a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msvcm80.dll

Filesize
24KB

MD5
f6b3593b6de07778933737e5f5206c55

SHA1
302cdadf60e4e23c0238a9b40307893f03bb892e

SHA256
df6edd2a99fe65bb12134b526deb0679b36f73432747398355307b415e2cab20

SHA512
3a2f10742e4f7e4026231e8da2f1e3f2e838e9be04ce577896c1ba327dcec711493f7e8b1f312d6436fb4914ed7a996189f92fe480480228f5d3b689bbf45771

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msvcr80.dll

Filesize
39KB

MD5
14bceecf5fc44ede2597212abb0c7f96

SHA1
78149157ff8300dd5c17624297e8d9fee1c774d0

SHA256
f007fc4b6d870229d968586e7b35ba815dcb457994d6659ca7f0eb892a4afccd

SHA512
607f83c7e8678c7dd987592b29563be9b9dacd5514bc84bfb13bd86bb612f9cb544f733f1734245e4eed2bdd40763cedb855624fcc7fce8061ec2d634cedc287

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
41KB

MD5
19a97ae593495b5df89680708e6aeb04

SHA1
29e8fe69c4aaf64f4303bcd5dbcb99281a373a81

SHA256
f8362e2ed5ede1c95c022d184b119915efeaaa541f929882667f597b482e0b0b

SHA512
9e6cd5cf9e43473650dc9b14d6393ff959501504cfa048cc55268a746ea589c262fa51347f4bf404c10d3ac718268b762251f1a0a38a2ae2013b73626ded7047

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
113KB

MD5
bad1f75b78aa339bcac258fad6593ad8

SHA1
5fd6112552419c6e64b9269deaf5f98a9c43fac7

SHA256
55f4267f4a642482406dc8dfe8538764f48cdc4c9666f59aa08d986ba4fa0ad1

SHA512
e0a221b02414adddade7d474f5912e8310296eb74431039006f8a1ca2149fef99e82154ff932f9b9847c98914c1ef24a6598188c55befddbd5b9a23e4970c908

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
71KB

MD5
a1d7b32c60bc6813ad1cc1ab5186d76a

SHA1
56e7eba47fd45915fa361faf3e9dd37628385e59

SHA256
46ba2fb6e2fe1f68117fcd6791c2bd95a9e2b6573016114372d046500d1773b3

SHA512
e88b4ed25e6d336ccfd0961019e90cc00cac885cc7c78b00585affdeeeb87d685c0a8abc7df9b3a9a12247702a85e593f7a2f3d2f7078fe7b7096cc5de94688f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
285KB

MD5
27e3853b4c50511837e3625f0dc3cc2d

SHA1
d302ec1b3e3c39b4a15f2b980f1a3b7f811370e5

SHA256
8d16d3c5181c39f0d3b99d62880d6c8f1a2ed1bb4547c45f37eab65531b6baac

SHA512
4b47229a435272f75c101762b0c155f6dbae182879400d196c3121ba916d941881ce6ef81db384bc4d34569d762795250fa901ae27c48f79d87a84a3539ebe12

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
183KB

MD5
117e43f8c655350d80c474ede6ee8539

SHA1
7f56be9706b5ab1c8b33ab1e6606ced4397e34fd

SHA256
36d29f70ea2c76fab591e5b249df188906a4cbf7fdc64889320b6aec28155206

SHA512
f5d4cef7126b6d1e4e117ed707b2efe74e28a1b9c4dcbb9c3303caa49186ad87367e7cb517a4332c175316fae378ece5353bb2ad5f859db7b75a621f2b950b35

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
104KB

MD5
8704fc32df34e90b0ad99c3ac809e7b7

SHA1
ddb13a40fce86f6b7ff242640f07126b7563ae08

SHA256
7e508f0cc903d93bc10a8e70919ddea62b1b3abc9adf57847892ab53ee62d3dc

SHA512
8381a8fa4ca3ce13af43435440f9b9219a6b37699c104632c0d083d1d084d60f769b086b78525874c30ce6528022b0751dc5ff906fadef4934c235868adc8093

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
37KB

MD5
45a5f8eb247c60565e5d596f213ee8d9

SHA1
d5861c80cec17165f82329f6e1a746b86f37a1d1

SHA256
9ee02de4483a27525ac7d1f5ad61b8a1d17b3c24601352b2d80c56500233278a

SHA512
a29e5188003387b74e55bbbdd5bf25e9e3ee09f5ebdda995320392d5fee886792bf607dff5bf68a7f60e611c0024ef08f68791df23b0ae2057aa2fa6ccb35892

Download Submit
memory/2164-5-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-7-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-3-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-13-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-16-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-20-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2164-116-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2692-114-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-115-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2692-120-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-121-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2808-117-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download