ca45577006013e8af6a3c06a645824ce98b3222bfdcd847373bc9a12ab97b67c

Resubmissions

28-09-2024 07:40

240928-jhpvdatgkp 8

04-07-2024 03:55

240704-egtpqatanp 8

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activator.exe
Size

1.9MB
MD5

ed43ebc5518892c72af40fb19cdf76f0
SHA1

c33fb27e838e1a61340e31fdbdfc869600e3e5b9
SHA256

78049fb437a15cb04a698cf41cfaf0d242447c61d8e2e0811913122525fd929b
SHA512

fc69bd1ea742761955a2b212f66090f0edf00c4347824406c13440d03ca0acc648ca9201403e7413696672c123119700eba8c86cf7aa82a3adc7ae6338afd8dd
SSDEEP

24576:6gZnGaAVW9hkiQcMdzAOP1pOhdI+NOGqgctBE5Apa35rohhphh4tT9DdL7J7RG4i:6g0NmYXeOiS+NOZAA4hotIab5LF6wN

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDebug = "0"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	Activator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	Activator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierFlags = "2147483648"	Activator.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	bootsect.exe
2716	bootsect.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	Activator.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe
2844	Activator.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	Activator.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2944	2844	Activator.exe	30
PID 2844 wrote to memory of 2944	2844	Activator.exe	30
PID 2844 wrote to memory of 2944	2844	Activator.exe	30
PID 2844 wrote to memory of 2944	2844	Activator.exe	30
PID 2844 wrote to memory of 2716	2844	Activator.exe	32
PID 2844 wrote to memory of 2716	2844	Activator.exe	32
PID 2844 wrote to memory of 2716	2844	Activator.exe	32
PID 2844 wrote to memory of 2716	2844	Activator.exe	32
PID 2844 wrote to memory of 1684	2844	Activator.exe	38
PID 2844 wrote to memory of 1684	2844	Activator.exe	38
PID 2844 wrote to memory of 1684	2844	Activator.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe
  "C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe" /nt60 SYS /force
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe
  "C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe" /nt52 SYS /force
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "\R@1n\Office 14 ProPlus" /SC ONLOGON /TR "wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') call Activate" /ru "SYSTEM" /RL "HIGHEST"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe

Filesize
95KB

MD5
9594bc046765df20f4ac8ded4d1dd5d8

SHA1
95de0064b529d0ee2a0bc786d3511a9376352847

SHA256
4c457232dd4b8e3589f2f38f705089baf568b1e9ec1554a0a3022b39f4286e76

SHA512
5c1110603239d314ad8216e3503ecb78f40d2c286810e4af7944ab4fdb0591e96a64268d545cd950696651e2a4e85529f1220a188cf7013db827d8fa23a5a6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Temp\bootsect.exe

Filesize
95KB

MD5
cb11535c71099cc12a2962d0438a4715

SHA1
34de0712b4a36d0e9eed9e5229fbbed8af33b7a0

SHA256
ef75dac1a280f30ac63eaeee9f648d0cf93afae346ab153928dae781e715a451

SHA512
1dc890ac4fbfbf7b30ad641e78252a05b0650608909a1d6ee5506eb8b8bcfd88b3c6dcee5fdff8f8d411779413eb41de48e0f56bab746946e39950be7fb4a83c

Download Submit
\Windows\System32\SppExtComObjHook.dll

Filesize
19KB

MD5
2914300a6e0cdf7ed242505958ac0bb5

SHA1
684103f5c312ae956e66a02b965d9aad59710745

SHA256
29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8

SHA512
6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9

Download Submit
memory/2844-6-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

Filesize
4KB

Download
memory/2844-4-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-5-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-0-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

Filesize
4KB

Download
memory/2844-7-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-8-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-9-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-3-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-2-0x000000001AF30000-0x000000001B492000-memory.dmp

Filesize
5.4MB

Download
memory/2844-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download