Resubmissions
01/11/2024, 14:54
241101-sabgfs1hnd 801/11/2024, 13:44
241101-q1s33szjhy 331/10/2024, 12:23
241031-pkqgksyekn 830/10/2024, 12:31
241030-pp1hcatbrh 830/10/2024, 05:49
241030-gjbm2awnew 1029/10/2024, 13:23
241029-qnaqzawblk 828/10/2024, 18:37
241028-w9lm9aspaj 828/10/2024, 17:53
241028-wgjcessmg1 1030/03/2024, 20:59
240330-zstjbaee3s 8General
-
Target
Activator.exe
-
Size
628KB
-
Sample
241030-pp1hcatbrh
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
Static task
static1
Behavioral task
behavioral1
Sample
Activator.exe
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
Activator.exe
-
Size
628KB
-
MD5
05d594d09d9da2815c1be83eed268fca
-
SHA1
725806deac12c65566e56e4c09eaa5cfa056a039
-
SHA256
edfaa64302a662837079d0196091bf93b0b9bd9e73441a94b306b67e0f90932f
-
SHA512
450a4c792709191911095fda0906afa5014ca8127865ab3348abadb46c0df52aa4d5d209f024199e4896ce88ae9001d10f956b5310d2227ee12982fa2cb2e7cf
-
SSDEEP
12288:UyZ5jbw9WUUGdQywTALbqUeQOy9gHPj5moXkjmYfiNTJad2U1vdlEboSV:UylkUypahuCPjUgg4TQ2Z
-
Adds policy Run key to start application
-
Drops file in Drivers directory
-
Event Triggered Execution: AppCert DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Browser Extensions
1Event Triggered Execution
3AppCert DLLs
1Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
3AppCert DLLs
1Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
7Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1