835b99cbe7d16b1020a2b0fd94c356742528e94d66d445401b7057524c86ba3e | Triage

Submit
Reports

Overview

overview

8

Static

static

1

Windows_Ac...ol.bat

windows7-x64

4

Windows_Ac...ol.bat

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

Target

Windows_Activator_Tool.bat
Size

435KB
Sample

240503-jst7vacd23
MD5

153799a818cb95fd5803fead4fbe3e7a
SHA1

20c374986e4050265de2914c3993f6b22d6de460
SHA256

835b99cbe7d16b1020a2b0fd94c356742528e94d66d445401b7057524c86ba3e
SHA512

88af58dad86dd07be1f9fdbf6854f05579f2093360da939f52e8fd4c25f7cbbcdef0f1fe95bcedce00e0c88bf6c0a069f44cdb7be4f0b469ea2722d80e7eaa8c
SSDEEP

3072:/xdR3S9mud2TrRMP0u+RciNiYbRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0Y5:xbBHu+R7rLo97bJu9p6zGDNS0KROuCC

Score

8^/10

discovery execution exploit persistence

Static task

static1

Behavioral task

behavioral1

Sample

Windows_Activator_Tool.bat

Resource

win7-20240215-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Windows_Activator_Tool.bat

Resource

win10v2004-20240419-en

discovery execution exploit persistence

windows10-2004-x64

33 signatures

150 seconds

Malware Config

Targets

- Target
  
  Windows_Activator_Tool.bat
- Size
  
  435KB
- MD5
  
  153799a818cb95fd5803fead4fbe3e7a
- SHA1
  
  20c374986e4050265de2914c3993f6b22d6de460
- SHA256
  
  835b99cbe7d16b1020a2b0fd94c356742528e94d66d445401b7057524c86ba3e
- SHA512
  
  88af58dad86dd07be1f9fdbf6854f05579f2093360da939f52e8fd4c25f7cbbcdef0f1fe95bcedce00e0c88bf6c0a069f44cdb7be4f0b469ea2722d80e7eaa8c
- SSDEEP
  
  3072:/xdR3S9mud2TrRMP0u+RciNiYbRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0Y5:xbBHu+R7rLo97bJu9p6zGDNS0KROuCC
Score

8^/10

discovery execution exploit persistence
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Registers COM server for autorun
  persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Scripting

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoveryexecutionexploitpersistence

© 2018-2025

Terms | Privacy