3611d70fd0636f5858bd4d436e75e4afc9fc8763a034254ad6d5033f4a64ef84

Analysis

max time kernel
1583s
max time network
1598s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-04-2023 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS Tools Portable/Add_Defender_Exclusion.cmd
Size

1KB
MD5

38214e2bb08731ec3c69fa4c9ca86ef3
SHA1

e33f8d9852ab41bd9f2a545fb57cc7450c58f234
SHA256

908400a2ca52592d52d62daf9925dae7dc805e64ef613280b00711132ff99c54
SHA512

c675f4e66aca3a81affbad0252da343dd506ebb06069609d5a84a14a590cb6a66d5cea9939396eae6e64a45d00e2862008c587c700373b72cc280c07ef039e24

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2040	1752	cmd.exe	28
PID 1752 wrote to memory of 2040	1752	cmd.exe	28
PID 1752 wrote to memory of 2040	1752	cmd.exe	28
PID 1752 wrote to memory of 844	1752	cmd.exe	29
PID 1752 wrote to memory of 844	1752	cmd.exe	29
PID 1752 wrote to memory of 844	1752	cmd.exe	29
PID 1752 wrote to memory of 2028	1752	cmd.exe	31
PID 1752 wrote to memory of 2028	1752	cmd.exe	31
PID 1752 wrote to memory of 2028	1752	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\Add_Defender_Exclusion.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19\Environment"
  2⤵
  PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/844-59-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/844-60-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/844-61-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/844-62-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download