Analysis

  • max time kernel
    1614s
  • max time network
    1625s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2023, 17:47

General

  • Target

    KMS Tools Portable/data1.exe

  • Size

    57.2MB

  • MD5

    368cd11b5e8ab53da5cb2e4dfdcacd25

  • SHA1

    e449f3caefcb0ac728e479879915c9747daa5d3e

  • SHA256

    30bddd0af7c248a4ee44fda40cffc6df9466f1b82bfe3b4ceacf8a048b4f7e5f

  • SHA512

    29496a92c957b950e9a8f2a8f1cb3945fcd9c0b938f8f3e2f05184c48db15c0306beff5ab076a127200214adb242c8197e2c3c86e6812e88590ba292624c29f0

  • SSDEEP

    1572864:TgB265B3xdJEdmWagkncpMXu3Yr56hfzHNFJUH:TgB2659DiafncpMXu3+6BztF

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe
    "C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:580
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 localhost
          3⤵
          • Runs ping.exe
          PID:1612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat

      Filesize

      205B

      MD5

      a174a822b65daf500c1f4198ea00adc7

      SHA1

      9598b15fd356a152adc026628eb31ea374c27a93

      SHA256

      d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2

      SHA512

      94f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78

    • C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat

      Filesize

      205B

      MD5

      a174a822b65daf500c1f4198ea00adc7

      SHA1

      9598b15fd356a152adc026628eb31ea374c27a93

      SHA256

      d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2

      SHA512

      94f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78