ec6a3b8ca35b6fe0c19c0421fe19f29fc8899d9b25d242f13be26fb08d9e2afe

General

Target

OPEN_SETUP_FILE_KMS_PICO_FULL.exe
Size

9.5MB
MD5

40637b33eac9f79cdeb8df7975d80c85
SHA1

fb167f4a7c9cfbf14df59accea1961160871c729
SHA256

ec6a3b8ca35b6fe0c19c0421fe19f29fc8899d9b25d242f13be26fb08d9e2afe
SHA512

e83359d020e2c691ac1df6161948fc3b92b5869e7c29c083c43543c4fc882ceabdde8d1e02ea4abbfd61f80038f6b5ca8a9e6410b8199daf94ec24a83823e14a
SSDEEP

196608:pxVQ9qHvHe98YVPEmzF/+Ek9amX46X8bViIJ+11R/c3CKS6:/VQ9qbYVMmt3C7X4NLOX/4CKl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	OPEN_SETUP_FILE_KMS_PICO_FULL.exe

Executes dropped EXE 3 IoCs

Processes:

Setup.exeKMSpico.exeKMSpico.tmp

pid process

4412 Setup.exe
4344 KMSpico.exe
756 KMSpico.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4412	Setup.exe
4344	KMSpico.exe
756	KMSpico.tmp

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Setup.exe

Drops file in System32 directory 1 IoCs

Processes:

KMSpico.tmp

description ioc process

File opened for modification C:\Windows\system32\Vestris.ResourceLib.dll KMSpico.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	KMSpico.tmp

Drops file in Program Files directory 14 IoCs

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exeKMSpico.tmp

description	ioc	process
File created	C:\Program Files (x86)\manque1\KMSpico.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files\KMSpico\AutoPico.exe	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll	KMSpico.tmp
File created	C:\Program Files\KMSpico\unins000.dat	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe	KMSpico.tmp
File opened for modification	C:\Program Files (x86)\manque1	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File created	C:\Program Files (x86)\manque1\__tmp_rar_sfx_access_check_240546796	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File created	C:\Program Files (x86)\manque1\Setup.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files (x86)\manque1\Setup.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files\KMSpico\Service_KMS.exe	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\KMSELDI.exe	KMSpico.tmp
File opened for modification	C:\Program Files (x86)\manque1\KMSpico.exe	OPEN_SETUP_FILE_KMS_PICO_FULL.exe
File opened for modification	C:\Program Files\KMSpico\UninsHs.exe	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\Vestris.ResourceLib.dll	KMSpico.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Setup.exeKMSpico.tmp

pid process

4412 Setup.exe
4412 Setup.exe
4412 Setup.exe
4412 Setup.exe
756 KMSpico.tmp
756 KMSpico.tmp

pid	process
4412	Setup.exe
4412	Setup.exe
4412	Setup.exe
4412	Setup.exe
756	KMSpico.tmp
756	KMSpico.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

OPEN_SETUP_FILE_KMS_PICO_FULL.exeKMSpico.exe

description	pid	process	target process
PID 2072 wrote to memory of 4412	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2072 wrote to memory of 4412	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2072 wrote to memory of 4412	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	Setup.exe
PID 2072 wrote to memory of 4344	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 2072 wrote to memory of 4344	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 2072 wrote to memory of 4344	2072	OPEN_SETUP_FILE_KMS_PICO_FULL.exe	KMSpico.exe
PID 4344 wrote to memory of 756	4344	KMSpico.exe	KMSpico.tmp
PID 4344 wrote to memory of 756	4344	KMSpico.exe	KMSpico.tmp
PID 4344 wrote to memory of 756	4344	KMSpico.exe	KMSpico.tmp

C:\Users\Admin\AppData\Local\Temp\OPEN_SETUP_FILE_KMS_PICO_FULL.exe
"C:\Users\Admin\AppData\Local\Temp\OPEN_SETUP_FILE_KMS_PICO_FULL.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files (x86)\manque1\Setup.exe
"C:\Program Files (x86)\manque1\Setup.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Program Files (x86)\manque1\KMSpico.exe
"C:\Program Files (x86)\manque1\KMSpico.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\is-QUEGB.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QUEGB.tmp\KMSpico.tmp" /SL5="$40090,2952592,69120,C:\Program Files (x86)\manque1\KMSpico.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
722.1MB

MD5
15e546acf35ebe4f31f7ad2dabd995d9

SHA1
cfadc015760c7ba81b99b45137c21c678bedd434

SHA256
311fae07e5ada660dfc36057cd1004f35c797357545a07383948714c4af219c3

SHA512
4065e249783f4dfbf5f3eb0167c77fb31fdd4cec514676249b525f3041fdcc9b1bd16cbb4e51a2e314c2080b28af8ee8ba2b94a24efe8438db5bd84cd956a7da

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
550.2MB

MD5
c6cb1ec562aebf5d8b913b7250683d07

SHA1
4c1ff8d4889efa69ea2b719c050038ed76aa3abf

SHA256
cd337f6d5b5ad260a32dff4073943341363ad33a3cd242b4efe5f3260a4e52dd

SHA512
134f019427cb3a7f6c1824b66ae6c468ff5f533cdeba4f92afe85422d9bc1b84d524cdec63273640d952f54af27c618f582559e20f955f9eaad32cff0c5c54f2

Download Submit
C:\Program Files (x86)\manque1\Setup.exe
Filesize
490.9MB

MD5
c15bbda7debfb1217865bc7ae04431c4

SHA1
b70a47b79043070c04daa8dd1602f7be7736ff3b

SHA256
834133c60d370f2c56c5cce8e385976b37dd3e25b237cff00a78e1b3292b3d65

SHA512
b7b1c03666467f70577ac6be1b642e7d586a4c0e18636f1e95d82e8df12fcc00f07e1ea09e1532b48b6429da82821c80cf756634064008ff1e82a986932bddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QUEGB.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QUEGB.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
memory/756-182-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-167-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/756-195-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-187-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-184-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-173-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-175-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/756-176-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/756-178-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4344-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4344-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4412-169-0x0000000000400000-0x0000000000E15000-memory.dmp

Filesize
10.1MB

Download
memory/4412-168-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads