Resubmissions
01/11/2024, 14:54
241101-sabgfs1hnd 801/11/2024, 13:44
241101-q1s33szjhy 331/10/2024, 12:23
241031-pkqgksyekn 830/10/2024, 12:31
241030-pp1hcatbrh 830/10/2024, 05:49
241030-gjbm2awnew 1029/10/2024, 13:23
241029-qnaqzawblk 828/10/2024, 18:37
241028-w9lm9aspaj 828/10/2024, 17:53
241028-wgjcessmg1 1030/03/2024, 20:59
240330-zstjbaee3s 8General
-
Target
Activator.exe
-
Size
628KB
-
Sample
241028-wgjcessmg1
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
Static task
static1
Behavioral task
behavioral1
Sample
Activator.exe
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
Activator.exe
-
Size
628KB
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Creates new service(s)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection
-
Looks for Xen service registry key.
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Boot or Logon Autostart Execution: Authentication Package
Suspicious Windows Authentication Registry Modification.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
4AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Authentication Package
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
4AppInit DLLs
1Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
14Pre-OS Boot
1Bootkit
1Subvert Trust Controls
3Install Root Certificate
1SIP and Trust Provider Hijacking
2Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
3Query Registry
7Software Discovery
1Security Software Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
1