Overview
overview
10Static
static
7KMS Tools ...2).zip
windows7-x64
1KMS Tools ...2).zip
windows10-2004-x64
1KMS Tools ...on.cmd
windows7-x64
1KMS Tools ...on.cmd
windows10-2004-x64
1KMS Tools ...le.chm
windows7-x64
1KMS Tools ...le.chm
windows10-2004-x64
1KMS Tools ...ck.exe
windows7-x64
10KMS Tools ...ck.exe
windows10-2004-x64
10KMS Tools ...++.ini
windows7-x64
1KMS Tools ...++.ini
windows10-2004-x64
1KMS Tools ...a0.exe
windows7-x64
1KMS Tools ...a0.exe
windows10-2004-x64
1KMS Tools ...a1.exe
windows7-x64
7KMS Tools ...a1.exe
windows10-2004-x64
3KMS Tools ...me.txt
windows7-x64
1KMS Tools ...me.txt
windows10-2004-x64
1Analysis
-
max time kernel
1769s -
max time network
1586s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2023, 17:47
Behavioral task
behavioral1
Sample
KMS Tools Portable (2).zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
KMS Tools Portable (2).zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
KMS Tools Portable/Add_Defender_Exclusion.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
KMS Tools Portable/Add_Defender_Exclusion.cmd
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
KMS Tools Portable/KMS Tools Portable.chm
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
KMS Tools Portable/KMS Tools Portable.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
KMS Tools Portable/KMS Tools Unpack.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
KMS Tools Portable/KMS Tools Unpack.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
KMS Tools Portable/KMSAuto++.ini
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
KMS Tools Portable/KMSAuto++.ini
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
KMS Tools Portable/data0.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
KMS Tools Portable/data0.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral13
Sample
KMS Tools Portable/data1.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
KMS Tools Portable/data1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
KMS Tools Portable/readme.txt
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
KMS Tools Portable/readme.txt
Resource
win10v2004-20230221-en
General
-
Target
KMS Tools Portable/data1.exe
-
Size
57.2MB
-
MD5
368cd11b5e8ab53da5cb2e4dfdcacd25
-
SHA1
e449f3caefcb0ac728e479879915c9747daa5d3e
-
SHA256
30bddd0af7c248a4ee44fda40cffc6df9466f1b82bfe3b4ceacf8a048b4f7e5f
-
SHA512
29496a92c957b950e9a8f2a8f1cb3945fcd9c0b938f8f3e2f05184c48db15c0306beff5ab076a127200214adb242c8197e2c3c86e6812e88590ba292624c29f0
-
SSDEEP
1572864:TgB265B3xdJEdmWagkncpMXu3Yr56hfzHNFJUH:TgB2659DiafncpMXu3+6BztF
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ data1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ data1.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2124 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1296 powershell.exe 1296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1296 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4512 4216 data1.exe 83 PID 4216 wrote to memory of 4512 4216 data1.exe 83 PID 4512 wrote to memory of 1296 4512 cmd.exe 85 PID 4512 wrote to memory of 1296 4512 cmd.exe 85 PID 4216 wrote to memory of 4336 4216 data1.exe 89 PID 4216 wrote to memory of 4336 4216 data1.exe 89 PID 4216 wrote to memory of 4336 4216 data1.exe 89 PID 4336 wrote to memory of 5116 4336 cmd.exe 91 PID 4336 wrote to memory of 5116 4336 cmd.exe 91 PID 4336 wrote to memory of 5116 4336 cmd.exe 91 PID 4336 wrote to memory of 2124 4336 cmd.exe 92 PID 4336 wrote to memory of 2124 4336 cmd.exe 92 PID 4336 wrote to memory of 2124 4336 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\data1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:5116
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
PID:2124
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5a174a822b65daf500c1f4198ea00adc7
SHA19598b15fd356a152adc026628eb31ea374c27a93
SHA256d1534d8b002a69622e9ffd37427d539f1637449642c8fdd5f18b191e5eb05cc2
SHA51294f506f00e2fa91fdbde0c7e675eed96d547ad8ed29ea1e0a155293224022be38b93633b6f921740f5d5c8c5365f4defc2393e8f4dfd02953e27d8deefc0db78
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82