98b6f22370f59fd9482bf2f6c622c2afc92a441917328b2337d4b4780ab7201a

Resubmissions

28-03-2022 02:35

220328-c3bd6acaaj 10

Analysis

max time kernel
189s
max time network
282s
platform
windows10_x64
resource
win10-20220310-en
submitted
28-03-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe
Size

1018KB
MD5

be7563a984dc5168ce14181b90432859
SHA1

b98280f7310095da26de3e448beb489998f74c54
SHA256

e9045c4012cdfd4f2911db303478527e2006aa3b148dfdbacae85b4ee3b52e5e
SHA512

363339b8c932c69473ae34daad38fb0f86979a6173a2ca570b28a767251299af97c81376a2b1c41f2eeabe86e6933a332f9c891d9eb2ba4893910fee1c6d3f12

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\apm567A.tmp	acprotect

Executes dropped EXE 2 IoCs

Processes:

cscript.exeautorun.exe

pid process

2448 cscript.exe
2156 autorun.exe

pid	process
2448	cscript.exe
2156	autorun.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\apm567A.tmp	upx

Loads dropped DLL 1 IoCs

Processes:

autorun.exe

pid process

2156 autorun.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2156	autorun.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

mini-KMS_Activator_v1.3_Office2010_VL_ENG.execmd.exe

description	pid	process	target process
PID 1552 wrote to memory of 1876	1552	mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe	cmd.exe
PID 1552 wrote to memory of 1876	1552	mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe	cmd.exe
PID 1552 wrote to memory of 1876	1552	mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe	cmd.exe
PID 1876 wrote to memory of 2448	1876	cmd.exe	cscript.exe
PID 1876 wrote to memory of 2448	1876	cmd.exe	cscript.exe
PID 1876 wrote to memory of 2448	1876	cmd.exe	cscript.exe
PID 1876 wrote to memory of 2156	1876	cmd.exe	autorun.exe
PID 1876 wrote to memory of 2156	1876	cmd.exe	autorun.exe
PID 1876 wrote to memory of 2156	1876	cmd.exe	autorun.exe

C:\Users\Admin\AppData\Local\Temp\mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe
"C:\Users\Admin\AppData\Local\Temp\mini-KMS_Activator_v1.3_Office2010_VL_ENG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4544.tmp\Run.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\4544.tmp\cscript.exe
cscript HS_MESSAGE.vbs "Did you run the program as Administrator? " "Activation Tool" Q YESNO 30
3⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\4544.tmp\autorun.exe
autorun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4544.tmp\HS_MESSAGE.vbs
Filesize
796B

MD5
af0559e0301b2f75fa7ce812c5296de8

SHA1
205ddd069a599d20f0e91e17bbf3250eb339cc9e

SHA256
56a32a3cd84010b6517ed492ae6eadac54e5a903f4a0d21b4db32431416d82a2

SHA512
b80b0a1e9f142b16fcd54b24b23b637115454bf637d1abbaf8f9076a33148331e26668dadaa16202fbdbfcdcb152db519a26cee52a01af82149fdf2af2e70db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\Run.cmd
Filesize
1KB

MD5
0b851d375a6a8a8b04431d9635371f85

SHA1
4cf97a4f0e3b04e476b4492cce7409a5c20b68ef

SHA256
706d9ddf9c333f9c77238d22500dfb294776220625755e5668dff80246fc48fa

SHA512
b5bbf8aaed186aaca7c87f2c8528ea669da3ac4fc3d09f136c56244b78369f2105d707fe37f2cd7b546c9ad676758184daa6799324838bb59bf1bd0d561fb35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\autorun.apm
Filesize
193KB

MD5
748f99ec78fc9e2e3bba87c6441dfd0e

SHA1
a87a9290cd1678c3ac0e69bbed924791a27bc540

SHA256
7d33cd2203c3e4268855f00d897f51eaf4b1d4f06e198d3a05d5f923e3ccd794

SHA512
9c320ed5b6a52384037b885cd8dcb850112466c0d47d78290ffd6f2955c59e847c303fa5778cfeb6f195fbf4cb5cbbfeabad121c478bbb2f67edb57470bbf368

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\autorun.exe
Filesize
1.4MB

MD5
c98d6abc5ae3fcd85f2ae09d95f584cb

SHA1
34a2fd801509cc81f3cd2fa8fa341143cbee1d93

SHA256
c8d480b605a9e3c13f411cd3a6da44ed460704f3e529719bdc536d983ceb024d

SHA512
4449171b6209c181b3b620ebac69ab899abcf4914e867eac6eb4ccc78dc990317daf513cc9884a81bb17b8013031835678b6f74357fbd948ea6d25cabdf70bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\autorun.exe
Filesize
1.4MB

MD5
c98d6abc5ae3fcd85f2ae09d95f584cb

SHA1
34a2fd801509cc81f3cd2fa8fa341143cbee1d93

SHA256
c8d480b605a9e3c13f411cd3a6da44ed460704f3e529719bdc536d983ceb024d

SHA512
4449171b6209c181b3b620ebac69ab899abcf4914e867eac6eb4ccc78dc990317daf513cc9884a81bb17b8013031835678b6f74357fbd948ea6d25cabdf70bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\cscript.exe
Filesize
149KB

MD5
34098403f9d8f71ce2ec749122168e89

SHA1
0aed0994e4b43bc3ecc2106dc1c1d3210c82b7d7

SHA256
12df0b06a9b56dce3efdb85984f84b387b1a5b61c9ebbf5a3bd61a5fbb996f60

SHA512
e5b27d305b2a1c411bffbbf6c6534a92ce17af807c69344ed31a2fee42639ac5fef97ef4a654c4d6b2b8d42ba808856b857e9b4d8c008a7ba98adbab6c6b9372

Download Submit
C:\Users\Admin\AppData\Local\Temp\4544.tmp\cscript.exe
Filesize
149KB

MD5
34098403f9d8f71ce2ec749122168e89

SHA1
0aed0994e4b43bc3ecc2106dc1c1d3210c82b7d7

SHA256
12df0b06a9b56dce3efdb85984f84b387b1a5b61c9ebbf5a3bd61a5fbb996f60

SHA512
e5b27d305b2a1c411bffbbf6c6534a92ce17af807c69344ed31a2fee42639ac5fef97ef4a654c4d6b2b8d42ba808856b857e9b4d8c008a7ba98adbab6c6b9372

Download Submit
\Users\Admin\AppData\Local\Temp\apm567A.tmp
Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
memory/1876-118-0x0000000000000000-mapping.dmp

Download
memory/2156-124-0x0000000000000000-mapping.dmp

Download
memory/2448-120-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads