Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2023, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
KMS Tools Unpack.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
KMS Tools Unpack.exe
Resource
win10v2004-20230220-en
General
-
Target
KMS Tools Unpack.exe
-
Size
57.4MB
-
MD5
ae2a3c825cbf294b8adedcdba6a03687
-
SHA1
d2ceea4520a4fb42fc4088ea57d5a13b050cced3
-
SHA256
86df099097923f9e0dcf31e78f0d3271f9a918726a206624f8fd510a8077d315
-
SHA512
82a67731e51d1d9248b8148db7e669182327cc7edd0b28d232421b9d523db3601d58d332f890fc360c1051f3dd1a6eafd5f12d77942747ef6632419a14ac031d
-
SSDEEP
1572864:Nx1y8kFxSBqccESbNnPPvitf4QNI2C17ZT:NGHSDcESbx+RNI2C/T
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ KMS Tools Unpack.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ KMS Tools Unpack.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4576 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4468 powershell.exe 4468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4468 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3388 wrote to memory of 212 3388 KMS Tools Unpack.exe 88 PID 3388 wrote to memory of 212 3388 KMS Tools Unpack.exe 88 PID 212 wrote to memory of 4468 212 cmd.exe 90 PID 212 wrote to memory of 4468 212 cmd.exe 90 PID 3388 wrote to memory of 680 3388 KMS Tools Unpack.exe 94 PID 3388 wrote to memory of 680 3388 KMS Tools Unpack.exe 94 PID 3388 wrote to memory of 680 3388 KMS Tools Unpack.exe 94 PID 680 wrote to memory of 4456 680 cmd.exe 96 PID 680 wrote to memory of 4456 680 cmd.exe 96 PID 680 wrote to memory of 4456 680 cmd.exe 96 PID 680 wrote to memory of 4576 680 cmd.exe 97 PID 680 wrote to memory of 4576 680 cmd.exe 97 PID 680 wrote to memory of 4576 680 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe"C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4456
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
PID:4576
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD5db8d403e39ca27397567664e7065b91f
SHA1a438727f76b164bb718995acf6beebef0811983c
SHA2562bc60df097abf251ae1a9f50d7d0e2ac3dd6900efed71796db1c1b585b021ca6
SHA512516295b33c817b789865e5c1fa4aa8870e61a80e5695460d0ff878ab05f58129c8d6cefa71148022c64ba220806ec540a6e3839f6ca7a9336885440cc2a1cfcf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82