Overview
overview
10Static
static
7KMS Tools ...2).zip
windows7-x64
1KMS Tools ...2).zip
windows10-2004-x64
1KMS Tools ...on.cmd
windows7-x64
1KMS Tools ...on.cmd
windows10-2004-x64
1KMS Tools ...le.chm
windows7-x64
1KMS Tools ...le.chm
windows10-2004-x64
1KMS Tools ...ck.exe
windows7-x64
10KMS Tools ...ck.exe
windows10-2004-x64
10KMS Tools ...++.ini
windows7-x64
1KMS Tools ...++.ini
windows10-2004-x64
1KMS Tools ...a0.exe
windows7-x64
1KMS Tools ...a0.exe
windows10-2004-x64
1KMS Tools ...a1.exe
windows7-x64
7KMS Tools ...a1.exe
windows10-2004-x64
3KMS Tools ...me.txt
windows7-x64
1KMS Tools ...me.txt
windows10-2004-x64
1Analysis
-
max time kernel
1614s -
max time network
1625s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/04/2023, 17:47
Behavioral task
behavioral1
Sample
KMS Tools Portable (2).zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
KMS Tools Portable (2).zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
KMS Tools Portable/Add_Defender_Exclusion.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
KMS Tools Portable/Add_Defender_Exclusion.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
KMS Tools Portable/KMS Tools Portable.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
KMS Tools Portable/KMS Tools Portable.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
KMS Tools Portable/KMS Tools Unpack.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
KMS Tools Portable/KMS Tools Unpack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
KMS Tools Portable/KMSAuto++.ini
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
KMS Tools Portable/KMSAuto++.ini
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
KMS Tools Portable/data0.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
KMS Tools Portable/data0.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral13
Sample
KMS Tools Portable/data1.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
KMS Tools Portable/data1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
KMS Tools Portable/readme.txt
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
KMS Tools Portable/readme.txt
Resource
win10v2004-20230221-en
General
-
Target
KMS Tools Portable/data1.exe
-
Size
57.2MB
-
MD5
368cd11b5e8ab53da5cb2e4dfdcacd25
-
SHA1
e449f3caefcb0ac728e479879915c9747daa5d3e
-
SHA256
30bddd0af7c248a4ee44fda40cffc6df9466f1b82bfe3b4ceacf8a048b4f7e5f
-
SHA512
29496a92c957b950e9a8f2a8f1cb3945fcd9c0b938f8f3e2f05184c48db15c0306beff5ab076a127200214adb242c8197e2c3c86e6812e88590ba292624c29f0
-
SSDEEP
1572864:TgB265B3xdJEdmWagkncpMXu3Yr56hfzHNFJUH:TgB2659DiafncpMXu3+6BztF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1212 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1612 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1212 2040 data1.exe 28 PID 2040 wrote to memory of 1212 2040 data1.exe 28 PID 2040 wrote to memory of 1212 2040 data1.exe 28 PID 2040 wrote to memory of 1212 2040 data1.exe 28 PID 1212 wrote to memory of 580 1212 cmd.exe 30 PID 1212 wrote to memory of 580 1212 cmd.exe 30 PID 1212 wrote to memory of 580 1212 cmd.exe 30 PID 1212 wrote to memory of 580 1212 cmd.exe 30 PID 1212 wrote to memory of 1612 1212 cmd.exe 31 PID 1212 wrote to memory of 1612 1212 cmd.exe 31 PID 1212 wrote to memory of 1612 1212 cmd.exe 31 PID 1212 wrote to memory of 1612 1212 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:580
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
PID:1612
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5a174a822b65daf500c1f4198ea00adc7
SHA19598b15fd356a152adc026628eb31ea374c27a93
SHA256d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2
SHA51294f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78
-
Filesize
205B
MD5a174a822b65daf500c1f4198ea00adc7
SHA19598b15fd356a152adc026628eb31ea374c27a93
SHA256d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2
SHA51294f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78