Analysis

  • max time kernel
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 11:42

General

  • Target

    Office 2010 Activator.exe

  • Size

    1.0MB

  • MD5

    797429180c8c307b2a5d5ecf7ac77c8b

  • SHA1

    4e87f19b4718c107734d07ff407ad2db06400766

  • SHA256

    3dfd975557ba1d76d501320157b2ce9ddf09fd5e945787c85301168e51bc750d

  • SHA512

    ace9095a8d8925aa47a10892f01cb24a307949db6c4750164dd652ae4d31cd723c03816d8fe194e04f7b3359ba5c4a5af02ad0ca6b758cd5d1b33c4eba24cd49

  • SSDEEP

    12288:mhkqqrSo4VXMuc9cdQqiZIVgQ1HeH0e1a9E0PU08NTjreLnYwaU087HdS99Naqfc:mhcghM8BR6a9E0PFQ/U0jscq1nNR4

Score
7/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Office 2010 Activator.exe
    "C:\Users\Admin\AppData\Local\Temp\Office 2010 Activator.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\Start.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\hs_message.exe
        HS_MESSAGE "Did you run the program as Administrator? " "Activation Tool" Q YESNO
        3⤵
        • Executes dropped EXE
        PID:2128
      • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\autorun.exe
        autorun.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\Start.cmd

    Filesize

    194B

    MD5

    8c6446cd79a6a05491e1c7d7646e2336

    SHA1

    3291502183bf08fba62ae42fb9ccb8aa02a12161

    SHA256

    54eab1cae4870171361cee57fa6c07fde95658bc3430f0098d23cd9497b2da31

    SHA512

    02262fe90e9d78ce6cff912ba8557b39881f0ff831c498d818beb0367f96847003086fbea708536d4f35564bd38fc58801578a1e4ecc0a4b57c35f3d091df417

  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\autorun.apm

    Filesize

    193KB

    MD5

    6d451d884397484da93f731b7a1f9d8a

    SHA1

    05a98899237095a4f043d958676331e18c7a6251

    SHA256

    a9bc67b8f2eecbefbb085e9e636ce2bc24eaab636c1681bde5f8d2ca4073b04c

    SHA512

    0c50a81783b0eb41b6c760cdc657766786887195afa16a7d8e33ae5d6b49eddfb472d6784e9c493cf9351c3bea61dbe9480509b31a6c94325035f125bdd82a69

  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\autorun.exe

    Filesize

    1.4MB

    MD5

    9f5db165601843001dd313c6c2840db9

    SHA1

    3289567355012833e9c47357abc9e65108906ed1

    SHA256

    17fe65695d275a85977b697fa98ce77a07c006e7744240eb7bbf365ce0bf9074

    SHA512

    e87908bfcd8d35399d4604d9ce03823d79a6a63510ca8a1fbfdc001c095bd79fc715b438435faa0081f0a445aaf68171ebe0ece09e1998ac46704f3a2cdf6add

  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\hs_message.exe

    Filesize

    43KB

    MD5

    2b9c47facb47d3c88e988adbb91c2aff

    SHA1

    08801cb6a187762c49b9a50d9777dfb84e8b40b8

    SHA256

    f2020bd17b437fab6224d108de3bf19b98215043ecb2a7f9d02142289d8e8e50

    SHA512

    7165255ad3bbbccd32c1c6f704aefc68579bd55750e135e99a3682914a2316f46551ffc40eecb74f1f85d1af8903212fdb103b570c826210b08f67b3e7542ee2

  • C:\Users\Admin\AppData\Local\Temp\apmDA24.tmp

    Filesize

    146KB

    MD5

    3d4839228c7ee77e28832879eeb17340

    SHA1

    ebe4a6388c8c6831837e232b48b8f4266b7f711e

    SHA256

    5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

    SHA512

    f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

  • memory/1632-58-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

  • memory/1632-63-0x0000000010000000-0x000000001007E000-memory.dmp

    Filesize

    504KB

  • memory/1632-72-0x0000000000400000-0x00000000005B1000-memory.dmp

    Filesize

    1.7MB

  • memory/1632-77-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

  • memory/2128-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4412-0-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

  • memory/4412-71-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB