Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 16:20
Static task
static1
Behavioral task
behavioral1
Sample
Activation.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Activation.exe
Resource
win10v2004-20241007-en
General
-
Target
Activation.exe
-
Size
703KB
-
MD5
8c1d40db6464fd098716a317486db961
-
SHA1
4b4d82e0a91f11e1348488b9e9edd43697d9db67
-
SHA256
7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
-
SHA512
16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd
-
SSDEEP
6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY
Malware Config
Signatures
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exeicacls.exetakeown.exepid process 2816 icacls.exe 2832 icacls.exe 2808 takeown.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid process 2808 takeown.exe 2816 icacls.exe 2832 icacls.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2404 powershell.exe 2952 powershell.exe 2540 powershell.exe 1880 powershell.exe 2728 powershell.exe 624 powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
Activation.exedescription ioc process File created C:\Windows\IME\permissions.bat Activation.exe File created C:\Windows\IME\reset.bat Activation.exe File created C:\Windows\IME\activator.bat Activation.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2404 powershell.exe 2952 powershell.exe 2540 powershell.exe 1880 powershell.exe 2728 powershell.exe 624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeTakeOwnershipPrivilege 2808 takeown.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeSecurityPrivilege 2728 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeSecurityPrivilege 624 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Activation.execmd.exedescription pid process target process PID 2324 wrote to memory of 1908 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1908 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1908 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1628 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1628 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1628 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1592 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1592 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1592 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1900 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1900 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1900 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2428 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2428 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2428 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2424 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2424 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2424 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2456 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2456 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2456 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1924 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1924 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1924 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2192 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2192 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2192 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2244 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2244 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2244 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2032 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2032 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2032 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2176 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2176 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2176 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2712 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2712 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2712 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1224 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1224 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1224 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1976 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1976 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1976 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2668 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2668 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2668 2324 Activation.exe cmd.exe PID 2668 wrote to memory of 2808 2668 cmd.exe takeown.exe PID 2668 wrote to memory of 2808 2668 cmd.exe takeown.exe PID 2668 wrote to memory of 2808 2668 cmd.exe takeown.exe PID 2668 wrote to memory of 2816 2668 cmd.exe icacls.exe PID 2668 wrote to memory of 2816 2668 cmd.exe icacls.exe PID 2668 wrote to memory of 2816 2668 cmd.exe icacls.exe PID 2668 wrote to memory of 2832 2668 cmd.exe icacls.exe PID 2668 wrote to memory of 2832 2668 cmd.exe icacls.exe PID 2668 wrote to memory of 2832 2668 cmd.exe icacls.exe PID 2324 wrote to memory of 2676 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2676 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 2676 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1884 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1884 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1884 2324 Activation.exe cmd.exe PID 2324 wrote to memory of 1952 2324 Activation.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activation.exe"C:\Users\Admin\AppData\Local\Temp\Activation.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Windows Activation Fix2⤵PID:1908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0b2⤵PID:1628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation2⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Made by skidaim#06072⤵PID:1924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵PID:2032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:2176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Starting...2⤵PID:1976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\sppsvc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2816 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\spp /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Applying permissions...2⤵PID:1884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl2⤵PID:1952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl2⤵PID:2708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl2⤵PID:2532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl2⤵PID:2492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl2⤵PID:1556
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl2⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat2⤵PID:1688
-
C:\Windows\system32\net.exenet stop sppsvc3⤵PID:2716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc4⤵PID:1664
-
C:\Windows\system32\net.exenet start sppsvc3⤵PID:844
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc4⤵PID:1188
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs /rilc3⤵PID:2944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat2⤵PID:2940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD558b0adc4bfb05ae9dc5d011870994aa7
SHA1721f2c33b5a97609920f63a1fea6f970b5ee7591
SHA2564806a41dfd8e71daaa678227d0a86b7d2763e8be8660ae0828e0817fc84ea04b
SHA512353374926d2ee7e86f8adb0934d17add38827a2327cb70ac5b8137134a4743c2e3bb76741c7ca3f19546501872872975ff8f87a4a3ba12a55f96d435c34483a1
-
Filesize
3KB
MD5365b88395524dec0af52387ed73317ce
SHA166a6e96fb198e8749c9086e35b2b2f85aa21c63c
SHA25699ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10
SHA51246efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5
-
Filesize
162B
MD54be7ca8b30ea192628228857b5005655
SHA1588a60df54f8ff2924b2fd569dfc39ce5ae17cfd
SHA2565e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853
SHA512169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4
-
Filesize
325B
MD5939378e1c9e25f424c618a379e61fc48
SHA145822124d56b6e6efcfbaab246feff695b7098d4
SHA256fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146
SHA5123833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e