Overview

overview

10

Static

static

3

a2662fb73b...18.exe

windows7-x64

10

a2662fb73b...18.exe

windows10-2004-x64

10

$APPDATA/R...er.exe

windows7-x64

6

$APPDATA/R...er.exe

windows10-2004-x64

6

$TEMP/KeyActivate.exe

windows7-x64

8

$TEMP/KeyActivate.exe

windows10-2004-x64

8

$TEMP/launcher.exe

windows7-x64

10

$TEMP/launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/KeyActivate.exe

  • Size

    569KB

  • MD5

    9bb06ab42d4883d1315641b62dd65e58

  • SHA1

    e58876178a5cfc69c62c6f72c06c6f34b3e4b821

  • SHA256

    d1347ceaeb056a0ba1ceb2a674864c2b6123c5ec516d1de0d6f1b17653638474

  • SHA512

    1ca41b28fa675c6b7f8efc9d5fa9e515324985e7715f0bca33c5e75ccf85845096cbc44688a0a7f6b1c73a807031ffe1814873b51559d56e9f608525250870c8

  • SSDEEP

    6144:KtkWYHHmXrDcmnBQmt3xRdyaAqbvdPeaNx9MuxY+NdxCM2o:Kksrfe2vdTdPeoxeu1L2o

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\KeyActivate.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\KeyActivate.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\system32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\$TEMP\KeyActivate.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\$TEMP\KeyActivate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3024
        • C:\Windows\system32\services32.exe
          "C:\Windows\system32\services32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1840
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2220
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2032
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:496
            • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
              C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:892
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1564
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:536
              • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                7⤵
                • Executes dropped EXE
                PID:1548
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                7⤵
                  PID:2028
                  • C:\Windows\system32\choice.exe
                    choice /C Y /N /D Y /T 3
                    8⤵
                      PID:2696
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:628
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                5⤵
                  PID:944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          09199a653c794b30efcb7d56b648addd

          SHA1

          d1b680bda262894a180052c5aa03133b2814bb32

          SHA256

          9257ea572c57c131a6d4a960e020bd147e1f3c005d17efa7a61b65093950055e

          SHA512

          63248cfbdf32ab4a72a1e7e1a4f25d0d06fd5fab575988bb42ce83d617e9c41a9028aaf2f02f0181cdfa0ceab196f1cc8ff453789e8a37b1a1c8e609e03fa39e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab5F42.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar5F64.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          4e681612dd7dc3d59c1c4371bd01144f

          SHA1

          2328d064774b151f5cf6ae613ff6cb3b1508680a

          SHA256

          4045adec59d82cdbba716411b2e4e6fb360731a10a4c8a5e9793d8349f0c5035

          SHA512

          be871ff68731287ddcc9f40d383607e6a997caf6ff53257c38d5b26b5ab2e106e1f77019e8dc3d3551a8c82f1c9c849b4de5e99831f6f987dbf292d92ce2fe40

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          eff9cc2d9857bba66bbc24f24be66220

          SHA1

          5f9d371ab94f780bda904619f6bdfa8605d95279

          SHA256

          5468f908420991d3e06f17566d7ea91ca9a8bb3b5f9584410044126edadc1130

          SHA512

          ece7ba86ece762960f978192535d3a82c02396d29ade203b8530beb0fbe6d2b6d9e3959297f58ec77634909de82a58d09a40e2ea28fe648db097fcc55540e228

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost32.exe
          Filesize

          119KB

          MD5

          25ded84c49d528dd9e42b67957a50054

          SHA1

          bd60e556f58a1003f61c4a8a5030827e83e9e5b7

          SHA256

          d8c727520b198021c1ea7dd848900be0c21d308028f46982796c027a53e9a2de

          SHA512

          643a3b90c06a5d1e9b01df9c616aebf393a249a50610a4489d4fb7135a4b813371f53caaaf41c85d03879193d55b9715acf1a6ceb250b9b0a5d9274e94bf70bc

          Download Submit

        • \Windows\System32\Microsoft\Telemetry\sihost32.exe
          Filesize

          51KB

          MD5

          45a31abb24f3e89a782878eaf61b0fa1

          SHA1

          5fcad02840a08f7a74dfbb5b1b08d07b3b3c03da

          SHA256

          95c4af41d733e31b1208cf70e34faf56856ccdf0f5f8a2a29ec37ba81b68402b

          SHA512

          90a0d2c0b7b4e5aa1853d5dea654de93e34e196c57aff6b0102d1984c2427fc6e2dca936de3998b320e3dc438411ff7b1bece05374e0d48cec7dc632d326a15f

          Download Submit

        • \Windows\System32\services32.exe
          Filesize

          569KB

          MD5

          9bb06ab42d4883d1315641b62dd65e58

          SHA1

          e58876178a5cfc69c62c6f72c06c6f34b3e4b821

          SHA256

          d1347ceaeb056a0ba1ceb2a674864c2b6123c5ec516d1de0d6f1b17653638474

          SHA512

          1ca41b28fa675c6b7f8efc9d5fa9e515324985e7715f0bca33c5e75ccf85845096cbc44688a0a7f6b1c73a807031ffe1814873b51559d56e9f608525250870c8

          Download Submit

        • memory/892-77-0x000000013F4E0000-0x000000013F502000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1548-85-0x0000000000540000-0x0000000000546000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1548-84-0x000000013FCB0000-0x000000013FCC2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2228-12-0x0000000002880000-0x0000000002888000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2228-11-0x000000001B510000-0x000000001B7F2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2228-8-0x000007FEF2F3E000-0x000007FEF2F3F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2228-15-0x000007FEF2C80000-0x000007FEF361D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2228-9-0x000007FEF2C80000-0x000007FEF361D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2228-10-0x000007FEF2C80000-0x000007FEF361D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2228-13-0x000007FEF2C80000-0x000007FEF361D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2228-14-0x000007FEF2C80000-0x000007FEF361D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2308-35-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2308-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2308-37-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2308-34-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2308-3-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2308-2-0x0000000000650000-0x0000000000672000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2308-1-0x000000013F1C0000-0x000000013F252000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2804-21-0x000000001B630000-0x000000001B912000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2804-22-0x0000000001C80000-0x0000000001C88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2848-43-0x0000000000540000-0x0000000000552000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2848-42-0x000000013F040000-0x000000013F062000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2892-50-0x000000013F180000-0x000000013F212000-memory.dmp

          Filesize

          584KB

          Download