Overview

overview

8

Static

static

3

Activator.exe

windows7-x64

8

Activator.exe

windows10-2004-x64

8

Lite.cmd

windows7-x64

8

Lite.cmd

windows10-2004-x64

8

Resubmissions

28/09/2024, 07:40

240928-jhpvdatgkp 8

04/07/2024, 03:55

240704-egtpqatanp 8

Analysis

  • max time kernel
    131s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 03:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Lite.cmd

  • Size

    842B

  • MD5

    5ae0aac595dab0ffe87b36e4cbb822a6

  • SHA1

    29a36471f7280ca5bb5970e8e1e22a734615483e

  • SHA256

    23bccb5d8c1036fac73b954710da88380cdf2125654fbef534a7ccd56d918bd0

  • SHA512

    60dff8a051aca03c172299caf614999f3b317854d0e1311e97b72d55f2e3d9304b4bf93d7873da59be565001773da6b59dc390a8cbd3192a554b7bf2d9a4fbfb

Score
8/10
persistence

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 9 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 11 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Lite.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:2716
      • C:\Users\Admin\AppData\Local\Temp\Activator.exe
        "C:\Users\Admin\AppData\Local\Temp\Activator.exe" /Lite
        2⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc config ClipSVC start= demand
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\system32\sc.exe
            sc config ClipSVC start= demand
            4⤵
            • Launches sc.exe
            PID:2776
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc config wlidsvc start= demand
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\system32\sc.exe
            sc config wlidsvc start= demand
            4⤵
            • Launches sc.exe
            PID:2248
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc config sppsvc start= delayed-auto
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\system32\sc.exe
            sc config sppsvc start= delayed-auto
            4⤵
            • Launches sc.exe
            PID:636
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc config LicenseManager start= demand
          3⤵
            PID:3876
            • C:\Windows\system32\sc.exe
              sc config LicenseManager start= demand
              4⤵
              • Launches sc.exe
              PID:2700
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc config Winmgmt start= auto
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3196
            • C:\Windows\system32\sc.exe
              sc config Winmgmt start= auto
              4⤵
              • Launches sc.exe
              PID:532
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc config wuauserv start= demand
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Windows\system32\sc.exe
              sc config wuauserv start= demand
              4⤵
              • Launches sc.exe
              PID:3176
          • C:\Users\Admin\AppData\Local\Temp\_Temp\gatherosstatemodified.exe
            "C:\Users\Admin\AppData\Local\Temp\_Temp\gatherosstatemodified.exe" Pfn=Microsoft.Windows.48.res-v3557_8wekyb3d8bbwe;DownlevelGenuineState=1
            3⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            PID:2596
          • C:\Users\Admin\AppData\Local\Temp\_Temp\clipup.exe
            "C:\Users\Admin\AppData\Local\Temp\_Temp\clipup.exe" -v -o -altto C:\Users\Admin\AppData\Local\Temp\_Temp\GenuineTicket.xml
            3⤵
            • Executes dropped EXE
            PID:764
            • C:\Users\Admin\AppData\Local\Temp\_Temp\clipup.exe
              "C:\Users\Admin\AppData\Local\Temp\_Temp\clipup.exe" -v -o -altto C:\Users\Admin\AppData\Local\Temp\_Temp\GenuineTicket.xml -ppl C:\Users\Admin\AppData\Local\Temp\temB205.tmp
              4⤵
              • Executes dropped EXE
              PID:4392
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        1⤵
        • Modifies data under HKEY_USERS
        PID:1792
      • C:\Windows\system32\Clipup.exe
        "C:\Windows\system32\Clipup.exe" -o
        1⤵
          PID:4428
          • C:\Windows\system32\Clipup.exe
            "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temB30F.tmp
            2⤵
            • Checks SCSI registry key(s)
            PID:4032

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\_Temp\GenuineTicket.xml
                Filesize

                1KB

                MD5

                f87bd1da475f771cec29e823d03f718e

                SHA1

                1b24cc598aa23bcaaf004dc305a44e6110b4a25e

                SHA256

                2525f8426c8b2f62a6787dde6d3b2f9c45fd55149420553b8db9ce1239a5986a

                SHA512

                41bbb158e356dede8633a0f11169d676144c10650c722aabc15fd05c1065fe73d8641a65a58a65d8008cce8d2798155ced1e4d56688490ded0523b530a357875

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\_Temp\clipup.exe
                Filesize

                1.3MB

                MD5

                bd1908ab0887873fce6b059822599e4e

                SHA1

                48d928b1bec25a56fe896c430c2c034b7866aa7a

                SHA256

                0d6e9f6bbd0321eda149658d96040cb4f79e0bd93ba60061f25b28fecbf4d4ef

                SHA512

                e602efef6d697cdb0c958df3210331170c354edf1c372975d5edd71c884f2de26c6bad07e4caea4f7832ad42a9fe9c8c1b72ca24734a6d464f108864d0a8cf4c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\_Temp\gatherosstatemodified.exe
                Filesize

                330KB

                MD5

                892fae48577e46eabd9fbbc4107d924c

                SHA1

                3fccb9c359edb9527c9f5688683f8b3c5910e75d

                SHA256

                5b8d76ee9a57fa2592f480f1c5035d45946304cae7899279857126cd48f601d7

                SHA512

                49f9237657b77b789edc54563b6500787905429673ffa3797a4a2d50ae25eaab3c684890847a0a790361ef3c525c432712cc4e00e98de3912ff13a0c3d5c252d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\temB205.tmp
                Filesize

                230B

                MD5

                62bb58da510ecb05194b2199ef7889ef

                SHA1

                8f0e4f6d9776cbde466a6f4b51f6b43a22b5af1f

                SHA256

                33d3fe617709057bdf5feec1df85a1f6ea33f2e2443c0f10a7819a78bb3abf31

                SHA512

                9a07668211c476e10636ee7f6f2cab9435e73a3c07b2e5ba54ab9fec28ae71c47c16a798a9e0733c6eb08d7e620806b2ef624fa984675a9aaa4bfbe574cae65d

                Download Submit

              • C:\Windows\TEMP\temB30F.tmp
                Filesize

                206B

                MD5

                b13af738aa8be55154b2752979d76827

                SHA1

                64a5f927720af02a367c105c65c1f5da639b7a93

                SHA256

                663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

                SHA512

                cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

                Download Submit

              • memory/764-18-0x000001B92B500000-0x000001B92B510000-memory.dmp

                Filesize

                64KB

                Download

              • memory/764-19-0x000001B92B500000-0x000001B92B510000-memory.dmp

                Filesize

                64KB

                Download

              • memory/764-20-0x000001B92B500000-0x000001B92B510000-memory.dmp

                Filesize

                64KB

                Download

              • memory/764-30-0x000001B92B500000-0x000001B92B510000-memory.dmp

                Filesize

                64KB

                Download

              • memory/764-31-0x000001B92B500000-0x000001B92B510000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4032-35-0x00000211E7F60000-0x00000211E7F70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4032-34-0x00000211E7F60000-0x00000211E7F70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4032-39-0x00000211E7F60000-0x00000211E7F70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4392-28-0x0000013B36CA0000-0x0000013B36CB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4392-27-0x0000013B36CA0000-0x0000013B36CB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4392-25-0x0000013B36CA0000-0x0000013B36CB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4392-24-0x0000013B36CA0000-0x0000013B36CB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4392-23-0x0000013B36CA0000-0x0000013B36CB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4428-32-0x00000239CBE20000-0x00000239CBE30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4428-33-0x00000239CBE20000-0x00000239CBE30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4428-41-0x00000239CBE20000-0x00000239CBE30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4432-4-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-5-0x00007FFA736D3000-0x00007FFA736D5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4432-6-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-0-0x00007FFA736D3000-0x00007FFA736D5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4432-8-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-3-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-2-0x000000001B5B0000-0x000000001BB12000-memory.dmp

                Filesize

                5.4MB

                Download

              • memory/4432-1-0x00000000008A0000-0x00000000008B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4432-7-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-43-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-44-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4432-45-0x00007FFA736D0000-0x00007FFA74191000-memory.dmp

                Filesize

                10.8MB

                Download