Analysis Overview
SHA256
7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
Threat Level: Likely malicious
The file Activation.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 16:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 16:20
Reported
2024-11-04 16:25
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\Activation.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Windows Activation Fix
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 16:20
Reported
2024-11-04 16:25
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IME\permissions.bat | C:\Users\Admin\AppData\Local\Temp\Activation.exe | N/A |
| File created | C:\Windows\IME\reset.bat | C:\Users\Admin\AppData\Local\Temp\Activation.exe | N/A |
| File created | C:\Windows\IME\activator.bat | C:\Users\Admin\AppData\Local\Temp\Activation.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\Activation.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Windows Activation Fix
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Starting...
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\sppsvc.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\spp /grant administrators:F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Applying permissions...
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
C:\Windows\system32\net.exe
net stop sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc
C:\Windows\system32\net.exe
net start sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc
C:\Windows\system32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs /rilc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
Network
Files
C:\Windows\IME\permissions.bat
| MD5 | 4be7ca8b30ea192628228857b5005655 |
| SHA1 | 588a60df54f8ff2924b2fd569dfc39ce5ae17cfd |
| SHA256 | 5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853 |
| SHA512 | 169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4 |
memory/2404-6-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2404-7-0x0000000002A70000-0x0000000002A78000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 58b0adc4bfb05ae9dc5d011870994aa7 |
| SHA1 | 721f2c33b5a97609920f63a1fea6f970b5ee7591 |
| SHA256 | 4806a41dfd8e71daaa678227d0a86b7d2763e8be8660ae0828e0817fc84ea04b |
| SHA512 | 353374926d2ee7e86f8adb0934d17add38827a2327cb70ac5b8137134a4743c2e3bb76741c7ca3f19546501872872975ff8f87a4a3ba12a55f96d435c34483a1 |
memory/2952-13-0x000000001B570000-0x000000001B852000-memory.dmp
memory/2952-14-0x00000000029F0000-0x00000000029F8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\IME\reset.bat
| MD5 | 939378e1c9e25f424c618a379e61fc48 |
| SHA1 | 45822124d56b6e6efcfbaab246feff695b7098d4 |
| SHA256 | fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146 |
| SHA512 | 3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb |
C:\Windows\IME\activator.bat
| MD5 | 365b88395524dec0af52387ed73317ce |
| SHA1 | 66a6e96fb198e8749c9086e35b2b2f85aa21c63c |
| SHA256 | 99ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10 |
| SHA512 | 46efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5 |