3611d70fd0636f5858bd4d436e75e4afc9fc8763a034254ad6d5033f4a64ef84

Analysis

max time kernel
1769s
max time network
1586s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS Tools Portable/data1.exe
Size

57.2MB
MD5

368cd11b5e8ab53da5cb2e4dfdcacd25
SHA1

e449f3caefcb0ac728e479879915c9747daa5d3e
SHA256

30bddd0af7c248a4ee44fda40cffc6df9466f1b82bfe3b4ceacf8a048b4f7e5f
SHA512

29496a92c957b950e9a8f2a8f1cb3945fcd9c0b938f8f3e2f05184c48db15c0306beff5ab076a127200214adb242c8197e2c3c86e6812e88590ba292624c29f0
SSDEEP

1572864:TgB265B3xdJEdmWagkncpMXu3Yr56hfzHNFJUH:TgB2659DiafncpMXu3+6BztF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	data1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	data1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2124	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4512	4216	data1.exe	83
PID 4216 wrote to memory of 4512	4216	data1.exe	83
PID 4512 wrote to memory of 1296	4512	cmd.exe	85
PID 4512 wrote to memory of 1296	4512	cmd.exe	85
PID 4216 wrote to memory of 4336	4216	data1.exe	89
PID 4216 wrote to memory of 4336	4216	data1.exe	89
PID 4216 wrote to memory of 4336	4216	data1.exe	89
PID 4336 wrote to memory of 5116	4336	cmd.exe	91
PID 4336 wrote to memory of 5116	4336	cmd.exe	91
PID 4336 wrote to memory of 5116	4336	cmd.exe	91
PID 4336 wrote to memory of 2124	4336	cmd.exe	92
PID 4336 wrote to memory of 2124	4336	cmd.exe	92
PID 4336 wrote to memory of 2124	4336	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe
"C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 localhost
    3⤵
    - Runs ping.exe
    PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat

Filesize
205B

MD5
a174a822b65daf500c1f4198ea00adc7

SHA1
9598b15fd356a152adc026628eb31ea374c27a93

SHA256
d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2

SHA512
94f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kzrmo3l.cbr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1296-135-0x000001DA60510000-0x000001DA60532000-memory.dmp

Filesize
136KB

Download
memory/1296-145-0x000001DA439E0000-0x000001DA439F0000-memory.dmp

Filesize
64KB

Download
memory/1296-146-0x000001DA439E0000-0x000001DA439F0000-memory.dmp

Filesize
64KB

Download
memory/1296-147-0x000001DA439E0000-0x000001DA439F0000-memory.dmp

Filesize
64KB

Download