Analysis
-
max time kernel
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 11:42
Behavioral task
behavioral1
Sample
Office 2010 Activator.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Office 2010 Activator.exe
Resource
win10v2004-20240709-en
General
-
Target
Office 2010 Activator.exe
-
Size
1.0MB
-
MD5
797429180c8c307b2a5d5ecf7ac77c8b
-
SHA1
4e87f19b4718c107734d07ff407ad2db06400766
-
SHA256
3dfd975557ba1d76d501320157b2ce9ddf09fd5e945787c85301168e51bc750d
-
SHA512
ace9095a8d8925aa47a10892f01cb24a307949db6c4750164dd652ae4d31cd723c03816d8fe194e04f7b3359ba5c4a5af02ad0ca6b758cd5d1b33c4eba24cd49
-
SSDEEP
12288:mhkqqrSo4VXMuc9cdQqiZIVgQ1HeH0e1a9E0PU08NTjreLnYwaU087HdS99Naqfc:mhcghM8BR6a9E0PFQ/U0jscq1nNR4
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000233ea-60.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation Office 2010 Activator.exe -
Executes dropped EXE 2 IoCs
pid Process 2128 hs_message.exe 1632 autorun.exe -
Loads dropped DLL 1 IoCs
pid Process 1632 autorun.exe -
resource yara_rule behavioral2/memory/4412-0-0x0000000000400000-0x0000000000688000-memory.dmp upx behavioral2/files/0x00090000000233ea-60.dat upx behavioral2/memory/1632-63-0x0000000010000000-0x000000001007E000-memory.dmp upx behavioral2/memory/4412-71-0x0000000000400000-0x0000000000688000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4412 wrote to memory of 1136 4412 Office 2010 Activator.exe 85 PID 4412 wrote to memory of 1136 4412 Office 2010 Activator.exe 85 PID 4412 wrote to memory of 1136 4412 Office 2010 Activator.exe 85 PID 1136 wrote to memory of 2128 1136 cmd.exe 88 PID 1136 wrote to memory of 2128 1136 cmd.exe 88 PID 1136 wrote to memory of 2128 1136 cmd.exe 88 PID 1136 wrote to memory of 1632 1136 cmd.exe 89 PID 1136 wrote to memory of 1632 1136 cmd.exe 89 PID 1136 wrote to memory of 1632 1136 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Office 2010 Activator.exe"C:\Users\Admin\AppData\Local\Temp\Office 2010 Activator.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\Start.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\hs_message.exeHS_MESSAGE "Did you run the program as Administrator? " "Activation Tool" Q YESNO3⤵
- Executes dropped EXE
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\autorun.exeautorun.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194B
MD58c6446cd79a6a05491e1c7d7646e2336
SHA13291502183bf08fba62ae42fb9ccb8aa02a12161
SHA25654eab1cae4870171361cee57fa6c07fde95658bc3430f0098d23cd9497b2da31
SHA51202262fe90e9d78ce6cff912ba8557b39881f0ff831c498d818beb0367f96847003086fbea708536d4f35564bd38fc58801578a1e4ecc0a4b57c35f3d091df417
-
Filesize
193KB
MD56d451d884397484da93f731b7a1f9d8a
SHA105a98899237095a4f043d958676331e18c7a6251
SHA256a9bc67b8f2eecbefbb085e9e636ce2bc24eaab636c1681bde5f8d2ca4073b04c
SHA5120c50a81783b0eb41b6c760cdc657766786887195afa16a7d8e33ae5d6b49eddfb472d6784e9c493cf9351c3bea61dbe9480509b31a6c94325035f125bdd82a69
-
Filesize
1.4MB
MD59f5db165601843001dd313c6c2840db9
SHA13289567355012833e9c47357abc9e65108906ed1
SHA25617fe65695d275a85977b697fa98ce77a07c006e7744240eb7bbf365ce0bf9074
SHA512e87908bfcd8d35399d4604d9ce03823d79a6a63510ca8a1fbfdc001c095bd79fc715b438435faa0081f0a445aaf68171ebe0ece09e1998ac46704f3a2cdf6add
-
Filesize
43KB
MD52b9c47facb47d3c88e988adbb91c2aff
SHA108801cb6a187762c49b9a50d9777dfb84e8b40b8
SHA256f2020bd17b437fab6224d108de3bf19b98215043ecb2a7f9d02142289d8e8e50
SHA5127165255ad3bbbccd32c1c6f704aefc68579bd55750e135e99a3682914a2316f46551ffc40eecb74f1f85d1af8903212fdb103b570c826210b08f67b3e7542ee2
-
Filesize
146KB
MD53d4839228c7ee77e28832879eeb17340
SHA1ebe4a6388c8c6831837e232b48b8f4266b7f711e
SHA2565d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954
SHA512f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56