Analysis
-
max time kernel
106s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-es -
resource tags
-
submitted
21/03/2023, 02:31
General
-
Target
KMSAuto++ x64.exe
-
Size
20.6MB
-
MD5
5076887cdcff4c84195e217da3b4ff5e
-
SHA1
4b7d9b9bc7709e50e705a9734f3d91ec3ac2e003
-
SHA256
9d7acc4d6c1566bcc909a3f47f90e607a65bc7960a1e380d88d3df628326990f
-
SHA512
84c425e25c0ecbfbfcdaded8b2a8694c64dbdb66080891f5bd6baa3b3634a4f05373c26c7862d62302e3c93c096c957319b438e37bebf6826487a84bb861d703
-
SSDEEP
393216:8JPwet9QQGSu5zMMV5zi1rbEuInDjWOf+804dzlxa0oWAGKvNA2moqk3UbxB5P0o:oPw79zMMV500uIn3TW80c20oJq2moB3A
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc licensemanager2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc licensemanager3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wuauserv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc wuauserv3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wlidsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc wlidsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start licensemanager2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start licensemanager3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wuauserv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start wuauserv3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wlidsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start wlidsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 482⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 483⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 12⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c gatherosstate.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exegatherosstate.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\2⤵
-
C:\Windows\System32\ClipUp.exeC:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\3⤵
-
C:\Windows\System32\ClipUp.exeC:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\ -ppl C:\Users\Admin\AppData\Local\Temp\tem1A10.tmp4⤵
- Checks SCSI registry key(s)
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato2⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f2⤵
-
C:\Windows\System32\reg.exereg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr2⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /F /Q2⤵
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x33c1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5e07f3d9ed0d30ec394936c758bdb9c
SHA19997783bc02e95842693c95f567d6498dd38c5af
SHA2569e907a5f497e5286eab60c4c0ba6c50013cde71d18083f2bc54a7227053780c9
SHA5126a09466d9cbac145a7cac53ca1bd2c10b6f3c8d86a9db4b985d8b88b1bd33965c7e10deafda74d5229ca4f5d39cbcb7c5f210d0543a14e7ac2c0ff70751b17bc
-
Filesize
13KB
MD531e221d3b930629a14ed2af067f777e3
SHA1aae9a700c9bb97581f3e15ea133f754cc950b690
SHA25632073d9d5706476785e3fbcb208b65dff56038c6ca9a8a2b15d2ab1590cc8e04
SHA5120b6900bc5917908e6ef7ee9d5656b55132c4e2cccfde42eb375a58b81db2712ed0c6344f95b509b74f83bbaf91c0617e3649c597419ab90eedfcf924692f688f
-
Filesize
1.3MB
MD5b13bc5b62f54607c334a6464d9b85cc8
SHA112721c69acbcb515f7adbee08ec42fc61192c187
SHA25651791625054b01802fd5aaa6c4a929827b369dfef7b2891b5f55e0fa61af0c7d
SHA51258a9c4e413992b8c225fd622934929382070cbe8c8999bdb93851a1f46a0129d674135eacce2b3f96a19dfbb7333e3b921b5e39b727339c9897de7a02d2ce3bf
-
Filesize
13KB
MD531e221d3b930629a14ed2af067f777e3
SHA1aae9a700c9bb97581f3e15ea133f754cc950b690
SHA25632073d9d5706476785e3fbcb208b65dff56038c6ca9a8a2b15d2ab1590cc8e04
SHA5120b6900bc5917908e6ef7ee9d5656b55132c4e2cccfde42eb375a58b81db2712ed0c6344f95b509b74f83bbaf91c0617e3649c597419ab90eedfcf924692f688f
-
Filesize
13KB
MD531e221d3b930629a14ed2af067f777e3
SHA1aae9a700c9bb97581f3e15ea133f754cc950b690
SHA25632073d9d5706476785e3fbcb208b65dff56038c6ca9a8a2b15d2ab1590cc8e04
SHA5120b6900bc5917908e6ef7ee9d5656b55132c4e2cccfde42eb375a58b81db2712ed0c6344f95b509b74f83bbaf91c0617e3649c597419ab90eedfcf924692f688f
-
Filesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
Filesize
139KB
MD53903bcab32a4a853dfa54962112d4d02
SHA1ba6433fba48797cd43463441358004ac81b76a8b
SHA25695fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816
SHA512db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a
-
Filesize
582B
MD5e2c91142c0e9329879ca0aaff56f5b3a
SHA194da96fe12c2a4b8afcbc3c8c5a5567a465a21b8
SHA25680cb6a1dad4fbe0434c2ca74cb1f6c95ffe7176358bc50d3672c8a19c051641c
SHA5124011a2545193125d8101045dd1dd8ae04f5d1055e9600d1807f314403b46163125e21466c996f0127241490f7255f38aaa0dec1c1a5c72a138230ef676f9140b
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
100KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
22.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB