Resubmissions
01/11/2024, 14:54
241101-sabgfs1hnd 801/11/2024, 13:44
241101-q1s33szjhy 331/10/2024, 12:23
241031-pkqgksyekn 830/10/2024, 12:31
241030-pp1hcatbrh 830/10/2024, 05:49
241030-gjbm2awnew 1029/10/2024, 13:23
241029-qnaqzawblk 828/10/2024, 18:37
241028-w9lm9aspaj 828/10/2024, 17:53
241028-wgjcessmg1 1030/03/2024, 20:59
240330-zstjbaee3s 8General
-
Target
Activator.exe
-
Size
628KB
-
Sample
241029-qnaqzawblk
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
Static task
static1
Behavioral task
behavioral1
Sample
Activator.exe
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
Activator.exe
-
Size
628KB
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables cmd.exe use via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1