Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2023, 13:52

General

  • Target

    KMS Tools Unpack.exe

  • Size

    57.4MB

  • MD5

    ae2a3c825cbf294b8adedcdba6a03687

  • SHA1

    d2ceea4520a4fb42fc4088ea57d5a13b050cced3

  • SHA256

    86df099097923f9e0dcf31e78f0d3271f9a918726a206624f8fd510a8077d315

  • SHA512

    82a67731e51d1d9248b8148db7e669182327cc7edd0b28d232421b9d523db3601d58d332f890fc360c1051f3dd1a6eafd5f12d77942747ef6632419a14ac031d

  • SSDEEP

    1572864:Nx1y8kFxSBqccESbNnPPvitf4QNI2C17ZT:NGHSDcESbx+RNI2C/T

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe
    "C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4456
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 localhost
          3⤵
          • Runs ping.exe
          PID:4576

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat

      Filesize

      189B

      MD5

      db8d403e39ca27397567664e7065b91f

      SHA1

      a438727f76b164bb718995acf6beebef0811983c

      SHA256

      2bc60df097abf251ae1a9f50d7d0e2ac3dd6900efed71796db1c1b585b021ca6

      SHA512

      516295b33c817b789865e5c1fa4aa8870e61a80e5695460d0ff878ab05f58129c8d6cefa71148022c64ba220806ec540a6e3839f6ca7a9336885440cc2a1cfcf

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njwec5oj.4eg.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/4468-135-0x000001C96BD00000-0x000001C96BD22000-memory.dmp

      Filesize

      136KB

    • memory/4468-145-0x000001C96BD60000-0x000001C96BD70000-memory.dmp

      Filesize

      64KB

    • memory/4468-146-0x000001C96BD60000-0x000001C96BD70000-memory.dmp

      Filesize

      64KB

    • memory/4468-147-0x000001C96BD60000-0x000001C96BD70000-memory.dmp

      Filesize

      64KB

    • memory/4468-152-0x000001C96BD60000-0x000001C96BD70000-memory.dmp

      Filesize

      64KB