Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 16:20

General

  • Target

    Activation.exe

  • Size

    703KB

  • MD5

    8c1d40db6464fd098716a317486db961

  • SHA1

    4b4d82e0a91f11e1348488b9e9edd43697d9db67

  • SHA256

    7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5

  • SHA512

    16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd

  • SSDEEP

    6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Drops file in Windows directory 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Activation.exe
    "C:\Users\Admin\AppData\Local\Temp\Activation.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c title Windows Activation Fix
      2⤵
        PID:1908
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 0b
        2⤵
          PID:1628
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c echo.
          2⤵
            PID:1592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
            2⤵
              PID:1900
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c echo.
              2⤵
                PID:2428
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c echo.
                2⤵
                  PID:2424
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo.
                  2⤵
                    PID:2456
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
                    2⤵
                      PID:1924
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c echo.
                      2⤵
                        PID:2192
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c echo.
                        2⤵
                          PID:2244
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c echo.
                          2⤵
                            PID:2032
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c pause
                            2⤵
                              PID:2176
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c cls
                              2⤵
                                PID:2712
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                2⤵
                                  PID:1224
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c echo Starting...
                                  2⤵
                                    PID:1976
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2668
                                    • C:\Windows\system32\takeown.exe
                                      takeown /F C:\Windows\System32\sppsvc.exe
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2808
                                    • C:\Windows\system32\icacls.exe
                                      icacls C:\Windows\System32 /grant administrators:F /T
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:2816
                                    • C:\Windows\system32\icacls.exe
                                      icacls C:\Windows\System32\spp /grant administrators:F /T
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:2832
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c cls
                                    2⤵
                                      PID:2676
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c echo Applying permissions...
                                      2⤵
                                        PID:1884
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
                                        2⤵
                                          PID:1952
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2404
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
                                          2⤵
                                            PID:2708
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2952
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
                                            2⤵
                                              PID:2532
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
                                                3⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2540
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
                                              2⤵
                                                PID:2492
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
                                                  3⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1880
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
                                                2⤵
                                                  PID:1556
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
                                                    3⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2728
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
                                                  2⤵
                                                    PID:1516
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:624
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c cls
                                                    2⤵
                                                      PID:752
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
                                                      2⤵
                                                        PID:1688
                                                        • C:\Windows\system32\net.exe
                                                          net stop sppsvc
                                                          3⤵
                                                            PID:2716
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 stop sppsvc
                                                              4⤵
                                                                PID:1664
                                                            • C:\Windows\system32\net.exe
                                                              net start sppsvc
                                                              3⤵
                                                                PID:844
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 start sppsvc
                                                                  4⤵
                                                                    PID:1188
                                                                • C:\Windows\system32\cscript.exe
                                                                  cscript.exe C:\Windows\System32\slmgr.vbs /rilc
                                                                  3⤵
                                                                    PID:2944
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                  2⤵
                                                                    PID:1956
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
                                                                    2⤵
                                                                      PID:2940

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    58b0adc4bfb05ae9dc5d011870994aa7

                                                                    SHA1

                                                                    721f2c33b5a97609920f63a1fea6f970b5ee7591

                                                                    SHA256

                                                                    4806a41dfd8e71daaa678227d0a86b7d2763e8be8660ae0828e0817fc84ea04b

                                                                    SHA512

                                                                    353374926d2ee7e86f8adb0934d17add38827a2327cb70ac5b8137134a4743c2e3bb76741c7ca3f19546501872872975ff8f87a4a3ba12a55f96d435c34483a1

                                                                  • C:\Windows\IME\activator.bat

                                                                    Filesize

                                                                    3KB

                                                                    MD5

                                                                    365b88395524dec0af52387ed73317ce

                                                                    SHA1

                                                                    66a6e96fb198e8749c9086e35b2b2f85aa21c63c

                                                                    SHA256

                                                                    99ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10

                                                                    SHA512

                                                                    46efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5

                                                                  • C:\Windows\IME\permissions.bat

                                                                    Filesize

                                                                    162B

                                                                    MD5

                                                                    4be7ca8b30ea192628228857b5005655

                                                                    SHA1

                                                                    588a60df54f8ff2924b2fd569dfc39ce5ae17cfd

                                                                    SHA256

                                                                    5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853

                                                                    SHA512

                                                                    169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4

                                                                  • C:\Windows\IME\reset.bat

                                                                    Filesize

                                                                    325B

                                                                    MD5

                                                                    939378e1c9e25f424c618a379e61fc48

                                                                    SHA1

                                                                    45822124d56b6e6efcfbaab246feff695b7098d4

                                                                    SHA256

                                                                    fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146

                                                                    SHA512

                                                                    3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb

                                                                  • \??\PIPE\srvsvc

                                                                    MD5

                                                                    d41d8cd98f00b204e9800998ecf8427e

                                                                    SHA1

                                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                    SHA256

                                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                    SHA512

                                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                  • memory/2404-6-0x000000001B590000-0x000000001B872000-memory.dmp

                                                                    Filesize

                                                                    2.9MB

                                                                  • memory/2404-7-0x0000000002A70000-0x0000000002A78000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                  • memory/2952-13-0x000000001B570000-0x000000001B852000-memory.dmp

                                                                    Filesize

                                                                    2.9MB

                                                                  • memory/2952-14-0x00000000029F0000-0x00000000029F8000-memory.dmp

                                                                    Filesize

                                                                    32KB