Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-07-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
ActivationInstaller.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ActivationInstaller.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ActivationInstaller.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
ActivationInstaller.exe
Resource
win11-20240709-en
General
-
Target
ActivationInstaller.exe
-
Size
81.3MB
-
MD5
957ba128368e4fa0302f26bcf8761d39
-
SHA1
d392831805ce8ac2a7b08bf10450cae38cef26e6
-
SHA256
d1666afed152ebffa4ee4708ae54b11324ae063804a370c712391afd5acbbb33
-
SHA512
878fc9bd5a40b9cb1e99adda89b477d018f9acb1aa061cd270175d98e1dee6bcf890d56e01a6ec43ca44700b16ac073fa95e7edca392ed144d0a6cf90c9452f0
-
SSDEEP
786432:FmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiKbaiLD0QmiK:ssssssssss
Malware Config
Signatures
-
pid Process 4192 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4088 powershell.exe 4088 powershell.exe 4192 powershell.exe 4192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 812 ActivationInstaller.exe Token: SeDebugPrivilege 4192 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 812 wrote to memory of 4088 812 ActivationInstaller.exe 78 PID 812 wrote to memory of 4088 812 ActivationInstaller.exe 78 PID 812 wrote to memory of 4088 812 ActivationInstaller.exe 78 PID 812 wrote to memory of 4192 812 ActivationInstaller.exe 80 PID 812 wrote to memory of 4192 812 ActivationInstaller.exe 80 PID 812 wrote to memory of 4192 812 ActivationInstaller.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ActivationInstaller.exe"C:\Users\Admin\AppData\Local\Temp\ActivationInstaller.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\22E45C8K.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fc2145b918cbccfc6b5914811f5e73cf
SHA1d1e000f5b04c21d9d56f375cf059c12e3bed95f6
SHA256038c3bb5d0eb6be91e89990cbc8a6582867959e52ee9efc8a5fcb0a863210cda
SHA51238d79c9ab989032f666f988bfcd112a04a95321eb2610201013c3d6b0744dfa36e051136e9914a5a39e350e15a031b828818dd66b3f76adae59bfb3db4fc6fb4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5cfbd5f1f0c062eed7ad58ab7e5644a33
SHA1a19b1fe56a7352ccfe71441d2e54cd54f9f3237d
SHA2567aaedcce3f05a91cd542ac7d48990ab890c3602c2345f5405f165f765d3b0778
SHA5124f5fa484928f62aced79b1034e6665dd7dd94ce84350589c7fd8bf82a525937ec1e0f80e410cc4f600c2a807f07ee30f3a060dfded9bee99322fc4b967347ea0