General
-
Target
KMSPico sample.zip
-
Size
10.2MB
-
Sample
210702-g23w726pz6
-
MD5
6ca86d3e050029e9003b042eeb17a4a2
-
SHA1
e51b40d94d843ed28724f7c1678c76995c0c72e6
-
SHA256
c8be49d64cb962af43cb50ff6892ff8a41948820a2ec796314bdd1270d477387
-
SHA512
e8da4b04ad19c503b702e5e24a28ce0bcc4e855e7faf1fc46ae144f694f4802304044b16326819a34d7939195665d70bddb9a131e9b2f67fedf8da58859b5e13
Static task
static1
Malware Config
Targets
-
-
Target
KMSPico sample/KMSPico 11.2.1.exe
-
Size
10.3MB
-
MD5
9dcfad9454f9d4fc64e14f829c3e49ad
-
SHA1
d948f568fea434999ae3c429ad5dbccfbe56a6bd
-
SHA256
add0fc5f32e919997a4bc3763562e3859b08c24230dcef1714027945a0daa9f6
-
SHA512
5e5ac1c00889db7ea11765ec6dc1996fa3ff014e58047a2b3dbd421d9bd04c0a94badcb74eda789ba1abaec5cade4f4a8ec4c1d950e60e54591cf522d864c662
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Sets file execution options in registry
-
Drops startup file
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-