Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-07-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
ActivationInstaller.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ActivationInstaller.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ActivationInstaller.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
ActivationInstaller.exe
Resource
win11-20240709-en
General
-
Target
ActivationInstaller.exe
-
Size
81.3MB
-
MD5
957ba128368e4fa0302f26bcf8761d39
-
SHA1
d392831805ce8ac2a7b08bf10450cae38cef26e6
-
SHA256
d1666afed152ebffa4ee4708ae54b11324ae063804a370c712391afd5acbbb33
-
SHA512
878fc9bd5a40b9cb1e99adda89b477d018f9acb1aa061cd270175d98e1dee6bcf890d56e01a6ec43ca44700b16ac073fa95e7edca392ed144d0a6cf90c9452f0
-
SSDEEP
786432:FmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiK:ssssssssss
Malware Config
Signatures
-
pid Process 4008 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3164 powershell.exe 3164 powershell.exe 3164 powershell.exe 4008 powershell.exe 4008 powershell.exe 4008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 2772 ActivationInstaller.exe Token: SeDebugPrivilege 4008 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2772 wrote to memory of 3164 2772 ActivationInstaller.exe 74 PID 2772 wrote to memory of 3164 2772 ActivationInstaller.exe 74 PID 2772 wrote to memory of 3164 2772 ActivationInstaller.exe 74 PID 2772 wrote to memory of 4008 2772 ActivationInstaller.exe 76 PID 2772 wrote to memory of 4008 2772 ActivationInstaller.exe 76 PID 2772 wrote to memory of 4008 2772 ActivationInstaller.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\ActivationInstaller.exe"C:\Users\Admin\AppData\Local\Temp\ActivationInstaller.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\8FXIE3BP.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5393663b501f5957d52ebb27691c155f6
SHA1bb67fdbf7860455fd523d516c787e51ba69f7bcb
SHA256e1f4889095e298d71e7279bc2e0a519102fd20b92efa9ee7b6c505d2f25582ef
SHA512235fee61dbe63f5382dd26908ae9a14232fc52cebdbf4f74c7fc6d29b31f6eedebd2bb3f8c2012cfbf4fafb48985936912681cfe3896d50a640d5c8331491e4c
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
4KB
MD5c32374da6c6ebe950a259a2eb2ea9398
SHA14842e725800143ea9d9e2e6123f0082a882f7fa3
SHA256cff96adb2b8d25f078a51866397459e686dbc95b0fdc477fe5eea86ccd09aa1c
SHA51272809956360dbc978a11be219187d4f0e7db79ce3d727da3fddb7537f0fe9ba4b97f97f201815c38500556e0e09fe962b274519db23bfcab9adbefbfc63510ad