54198da71fa9f7debf4c7a5a848e0979584e6df0e6c1c66a89757a1cf21e7ec2

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240221-it
resource tags

arch:x64arch:x86image:win10v2004-20240221-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
23/02/2024, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Windows 11 Activator.cmd
Size

2KB
MD5

a7c7a88c58b8c43bf51e97e74e939e31
SHA1

393884ca64c4fdf293086279bcd7cfa9084f6649
SHA256

54198da71fa9f7debf4c7a5a848e0979584e6df0e6c1c66a89757a1cf21e7ec2
SHA512

b28cdc5f28cf98b4eb75909230e32ee3b610edceba7ae873bddf64e7cb134553a6fa98dd7e2144d0920e08d3da9a4747b0783a1ab90137f2592736bc88aafaa5

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	DeviceCensus.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	DeviceCensus.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	DeviceCensus.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DeviceCensus.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DeviceCensus.exe

Enumerates system info in registry 2 TTPs 20 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	DeviceCensus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DeviceCensus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeviceCensus.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4556	2424	cmd.exe	83
PID 2424 wrote to memory of 4556	2424	cmd.exe	83
PID 2424 wrote to memory of 4704	2424	cmd.exe	86
PID 2424 wrote to memory of 4704	2424	cmd.exe	86
PID 2424 wrote to memory of 4360	2424	cmd.exe	87
PID 2424 wrote to memory of 4360	2424	cmd.exe	87
PID 2424 wrote to memory of 2996	2424	cmd.exe	88
PID 2424 wrote to memory of 2996	2424	cmd.exe	88
PID 2424 wrote to memory of 1492	2424	cmd.exe	89
PID 2424 wrote to memory of 1492	2424	cmd.exe	89
PID 2424 wrote to memory of 4600	2424	cmd.exe	91
PID 2424 wrote to memory of 4600	2424	cmd.exe	91
PID 2424 wrote to memory of 2800	2424	cmd.exe	92
PID 2424 wrote to memory of 2800	2424	cmd.exe	92
PID 2424 wrote to memory of 3464	2424	cmd.exe	95
PID 2424 wrote to memory of 3464	2424	cmd.exe	95
PID 2424 wrote to memory of 5008	2424	cmd.exe	97
PID 2424 wrote to memory of 5008	2424	cmd.exe	97
PID 2424 wrote to memory of 224	2424	cmd.exe	99
PID 2424 wrote to memory of 224	2424	cmd.exe	99
PID 2424 wrote to memory of 4540	2424	cmd.exe	103
PID 2424 wrote to memory of 4540	2424	cmd.exe	103
PID 2424 wrote to memory of 1828	2424	cmd.exe	104
PID 2424 wrote to memory of 1828	2424	cmd.exe	104
PID 2424 wrote to memory of 4728	2424	cmd.exe	105
PID 2424 wrote to memory of 4728	2424	cmd.exe	105
PID 2424 wrote to memory of 2856	2424	cmd.exe	106
PID 2424 wrote to memory of 2856	2424	cmd.exe	106
PID 2424 wrote to memory of 3008	2424	cmd.exe	107
PID 2424 wrote to memory of 3008	2424	cmd.exe	107
PID 2424 wrote to memory of 796	2424	cmd.exe	108
PID 2424 wrote to memory of 796	2424	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows 11 Activator.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
  2⤵
  PID:4556
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM
  2⤵
  PID:4704
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
  2⤵
  PID:4360
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
  2⤵
  PID:2996
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:1492
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9
  2⤵
  PID:4600
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
  2⤵
  PID:2800
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
  2⤵
  PID:3464
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
  2⤵
  PID:5008
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
  2⤵
  PID:224
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
  2⤵
  PID:4540
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk WNMTR-4C88C-JK8YV-HQ7T2-76DF9
  2⤵
  PID:1828
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2F77B-TNFGY-69QQF-B8YKP-D69TJ
  2⤵
  PID:4728
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /skms kms.chinancce.com
  2⤵
  PID:2856
- C:\Windows\system32\cscript.exe
  cscript //nologo c:\windows\system32\slmgr.vbs /ato
  2⤵
  PID:3008
- C:\Windows\system32\find.exe
  find /i "successfully"
  2⤵
  PID:796

C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:2316

C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
memory/2316-1-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-2-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-4-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-5-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-6-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-7-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-9-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-10-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x0000026E3DBE0000-0x0000026E3DBE1000-memory.dmp

Filesize
4KB

Download
memory/3512-23-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-22-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-24-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-27-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-28-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-29-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-30-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-31-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download
memory/3512-32-0x0000018E8C030000-0x0000018E8C031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads