d6021ec49b9230d80dd07cfe08a43729ea7b5944eac9cb34c2a712c36a5592d8

Analysis

max time kernel
68s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 04:15

Target

KMSAuto Net.exe
Size

8.6MB
MD5

93a3a8ce440197d31168fac569082937
SHA1

fad3066803a1ba8f9cb8bb7d1969eea0398b5ea0
SHA256

22ef521964080e77d7006f9341d720683fa98409361c62a7bc4fe81ec474b1b2
SHA512

08efe7e24d8d9e484d39c1381421c3fbbf231e46a5ac33c22bf3735a06c4a3d278a752c25afeb4217cc663a6c6955a55985056a7d5d5142e57c2ac5d99e5d0c8
SSDEEP

196608:OkwywCAfywOwe+ZCcyw3ywsyw3ywZywcywZywBywEyw4ywwywmIBywyywsywcywy:3wCAqwU+ZowiwxwiwUwBwUw8wJwVwtwF

Score

1^/10

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1940	2020	KMSAuto Net.exe	26
PID 2020 wrote to memory of 1940	2020	KMSAuto Net.exe	26
PID 2020 wrote to memory of 1940	2020	KMSAuto Net.exe	26
PID 2020 wrote to memory of 1940	2020	KMSAuto Net.exe	26
PID 2020 wrote to memory of 1960	2020	KMSAuto Net.exe	28
PID 2020 wrote to memory of 1960	2020	KMSAuto Net.exe	28
PID 2020 wrote to memory of 1960	2020	KMSAuto Net.exe	28
PID 2020 wrote to memory of 1960	2020	KMSAuto Net.exe	28
PID 2020 wrote to memory of 2036	2020	KMSAuto Net.exe	30
PID 2020 wrote to memory of 2036	2020	KMSAuto Net.exe	30
PID 2020 wrote to memory of 2036	2020	KMSAuto Net.exe	30
PID 2020 wrote to memory of 2036	2020	KMSAuto Net.exe	30

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:2036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/2020-54-0x0000000000D90000-0x0000000001626000-memory.dmp

Filesize
8.6MB

Download
memory/2020-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/2020-60-0x0000000005575000-0x0000000005586000-memory.dmp

Filesize
68KB

Download
memory/2020-61-0x0000000005575000-0x0000000005586000-memory.dmp

Filesize
68KB

Download