Overview

overview

8

Static

static

3

activation.exe

windows7-x64

1

activation.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    activation.exe

  • Size

    13KB

  • MD5

    f92abba25b704e790d93cb75e30d58f2

  • SHA1

    653703511436edb8bd46682e62c8f300828be89d

  • SHA256

    adf78868f15f3d05f9dc8146e080d8a5132418b3ec0bcf615841b0dc0a463a90

  • SHA512

    56f2d95502fcd296c42d8509f7e803814098c1d7965584d1e91d79ed47dd19d3d873031f06ef9200d14a663ba633958cf0633a3b6940c1d0d801a817cf978c07

  • SSDEEP

    384:aFLou1CVtT4YpaT0YmeoZo33hUroJJUSF:8L/QVtTycihUsJJB

Score
8/10
discoveryevasionspywarestealer

Malware Config

Signatures

  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\activation.exe
    "C:\Users\Admin\AppData\Local\Temp\activation.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\Downloads\ActSet\ActSet.exe
      "C:\Users\Admin\Downloads\ActSet\ActSet.exe"
      2⤵
      • Looks for VMWare Tools registry key
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3788
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipk W269N-WFGWX-YVC9B-4J6C9-ODAYX
      2⤵
        PID:3836
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /skms kms8.msguides.com
        2⤵
          PID:2568
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato
          2⤵
            PID:4756
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /xpr
            2⤵
              PID:4280

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hemfznmc.shb.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/4844-14-0x000000001D980000-0x000000001D994000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4844-0-0x00000000007E0000-0x00000000007E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4844-11-0x000000001B310000-0x000000001B332000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4844-12-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4844-13-0x000000001D5F0000-0x000000001D616000-memory.dmp

            Filesize

            152KB

            Download

          • memory/4844-1-0x00007FFCE9D23000-0x00007FFCE9D25000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4844-15-0x00007FFCE9D23000-0x00007FFCE9D25000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4844-16-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4844-17-0x000000001DB00000-0x000000001DB12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4844-18-0x000000001DAF0000-0x000000001DAFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4844-19-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4844-32-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

            Filesize

            10.8MB

            Download