Overview

overview

7

Static

static

3

Activation....3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Activation Service Unlocker 2023.1.3.exe

  • Size

    5.4MB

  • MD5

    ee1bfa29f0759f33bbaea9f282218567

  • SHA1

    45cb22ee9a3d56364eefd2ec7c38ccbb0663edf6

  • SHA256

    2ae8d809d34bee8d388da5e741650b97b4b8ae92835ab3c49c6d3984cc14cd10

  • SHA512

    a47bc0ecefb86dc70d1a24f1a2ce9df513645a548937c274280e43f72ce21eb78665097e92b06681c9ae7b686f6bc36373523a83233c108481b8e467d323ddf7

  • SSDEEP

    98304:lSiO9V8LRfMNKYYHl16/Xb/mZOQDNUcQlUcaFW0Qy0ea245j:aKivbP6NUllUZQqIj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Activation Service Unlocker 2023.1.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Activation Service Unlocker 2023.1.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\is-JC8AL.tmp\Activation Service Unlocker 2023.1.3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JC8AL.tmp\Activation Service Unlocker 2023.1.3.tmp" /SL5="$9018E,4744847,799744,C:\Users\Admin\AppData\Local\Temp\Activation Service Unlocker 2023.1.3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" stop "Red Giant Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "Red Giant Service"
          4⤵
            PID:1996
        • C:\Windows\system32\timeout.exe
          "timeout" /T 1 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:4292
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" stop mxredirect
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mxredirect
            4⤵
              PID:2512
          • C:\Windows\system32\taskkill.exe
            "C:\Windows\system32\taskkill.exe" /f /im "RGContentService.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\system32\taskkill.exe
            "C:\Windows\system32\taskkill.exe" /f /im "MxNotify.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1064
          • C:\Users\Admin\AppData\Local\Temp\is-F8GDR.tmp\deep.exe
            "C:\Users\Admin\AppData\Local\Temp\is-F8GDR.tmp\deep.exe" /verysilent
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4360
            • C:\Users\Admin\AppData\Local\Temp\is-4QRO5.tmp\deep.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-4QRO5.tmp\deep.tmp" /SL5="$6023C,3598703,799744,C:\Users\Admin\AppData\Local\Temp\is-F8GDR.tmp\deep.exe" /verysilent
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:5112
              • C:\Windows\system32\taskkill.exe
                "C:\Windows\system32\taskkill.exe" /f /im maxon.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4392
          • C:\Windows\system32\net.exe
            "C:\Windows\system32\net.exe" start "Red Giant Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 start "Red Giant Service"
              4⤵
                PID:4784

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-F8GDR.tmp\_isetup\_iscrypt.dll
          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-F8GDR.tmp\deep.exe
          Filesize

          4.3MB

          MD5

          1236d7fa121e89a15eb8762e027d87d0

          SHA1

          acd236d2d1b4fd0ecf31d0d6d1393aed819fa748

          SHA256

          c6f14962863e54092b2a719d4aaec866511f5943b0e8f9ed48180ecc21d5630b

          SHA512

          ec197ac23f17152f71e0d1fe8f787f19cb8a5e12ac38a48ee653490e6dd1fe65ba67764b1e9900878a24882a1e6499b56ffe7d86d1c37646ed5108abd971da7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-JC8AL.tmp\Activation Service Unlocker 2023.1.3.tmp
          Filesize

          3.0MB

          MD5

          a5ecaee602a2196e4f26c09976c5934c

          SHA1

          f4ed5ef7d831cf07081e7d3b8d1a4b5ea02f6afe

          SHA256

          76aa359896801df734425ba007f3080e7e08e9cc307bf3b3cc796ed104e0594b

          SHA512

          3852fbfdc61baeca89588581122b5bd1c95bd6b8dc88f395ad1d03168c0edcdaadf552681965ca8337b2d107f9a6c0960c096f75867e4c3740f299c90c5fbd1a

          Download Submit

        • memory/3384-39-0x0000000000400000-0x0000000000709000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/3384-6-0x0000000002710000-0x0000000002711000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-18-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/4360-21-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/4360-36-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/5048-0-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/5048-2-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/5048-41-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/5112-25-0x00000000008E0000-0x00000000008E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5112-34-0x0000000000400000-0x0000000000709000-memory.dmp

          Filesize

          3.0MB

          Download