d4230cae5c3e1b11fca61a711e7f3886088f6728858108a6811670aa3616a57b

Analysis

max time kernel
65s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto-Net.zip
Size

10.7MB
MD5

386cb87e6430d914820d793db19d7d33
SHA1

160a3788d24787fbf1c7579ac2a5da2d0ae8e25b
SHA256

d4230cae5c3e1b11fca61a711e7f3886088f6728858108a6811670aa3616a57b
SHA512

e50a7610633384378d1e4d547554e791424fd19342c83ea2cc83348c1c0d7199a467bffe3880c2ea69dc2e783c61779e15c3c4490970d5def68d1df9d51a6011
SSDEEP

196608:qpAtZ+U7OeubvGx9Y9oFMmtcdV0wvnZDsuKYqCVtIlehIuoOCYgM2cXNAOQ8JWcC:qpesfvuw2FMmKwanBsuYLu8Yg/Pl8JWJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2176	1676	chrome.exe	33
PID 1676 wrote to memory of 2176	1676	chrome.exe	33
PID 1676 wrote to memory of 2176	1676	chrome.exe	33
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2916	1676	chrome.exe	35
PID 1676 wrote to memory of 2716	1676	chrome.exe	36
PID 1676 wrote to memory of 2716	1676	chrome.exe	36
PID 1676 wrote to memory of 2716	1676	chrome.exe	36
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37
PID 1676 wrote to memory of 2544	1676	chrome.exe	37

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\KMSAuto-Net.zip
1⤵
PID:784

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a89758,0x7fef5a89768,0x7fef5a89778
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2144 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1456 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3748 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3880 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1376,i,8204507137628762180,788233119538790492,131072 /prefetch:8
  2⤵
  PID:3040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\02fcb199-ad02-439a-b77d-c2502c108fec.tmp

Filesize
87KB

MD5
a92b5cdb3d901205c2bb41840a6b585d

SHA1
a5f4032fd028c4a44fd9b0619228b04e98c322a5

SHA256
ce6d29ab9973aeb9e7fa9c44e6ddeccb03ad503911d734360dea28a442bdfa08

SHA512
3765749478edbf63982393ad27b057be0270b10372b27aa62ad159a43c89a25bc8360b50d969f096aeeacfef78561f29c4f60d5b2d9037f0e4b4f318694edf40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6f21b5.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8364850836dc52848c9aa15c063f5bcb

SHA1
7006cd262d5bb517d78f2a9e08d25c14cf891008

SHA256
56a2aa6921b09f15d3caf1c6142fa2cbe9ece9139cb4cc5d31ce0471de559588

SHA512
5078f18b28b09ee6e4a49c9785fdb27bf56b05615e916cc1bb407a6e8efd764684b30afbb497cd53fafbbb165ecbec8e6c0a8e4e1286d47706854cbb794cf613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
00a6ef9895bd7abf00aa6bcebc01a9fa

SHA1
c3f4355af6db795e7684526cf75717144e639d4d

SHA256
bb345fcb0d063958952195a447ff4d1b28740bbd64de7267c5beecb565e5717a

SHA512
8d7497c7a9c599e810d4e5c4eb19684a6ef97b276d5a342b46de3be6dd75669980204c4b362b093aab7b78b7f2001cc05bd5f1fe5b85775087aa5c36f5c263c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
476d0641cde2435b230bfc257c9d6626

SHA1
e5466607c9c5da07832260310f6f39cc7bca6e1c

SHA256
e2988b3cbb90ee69089ca907e18660e34ae1cdce17cf88292bae5ab2f9d5d5c5

SHA512
a2c5a465f998f58a419b83790a999c2a896308721247b55a3d82dd06117e69d7a035a5cc24080e692445f6a0e0376cf73b8feafe2d68fb350d9b21743092aac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
cb3dd4400fb1ad05f46ddd864ea8a7a3

SHA1
4bb57401f5e963cd18525eb638c63e503b707c10

SHA256
efe04e69490b67b8b8b2261949aa5932c2015885951284499478500b42e52547

SHA512
5f7bf08a3ec184992b669da6a24a33127e3db50887c35de9ae7b776ebb7b9d1aadfd7b04ecca2935c0a2e1ea81e45d18fd974e115fd8268a5adc3af9dc2f6b99

Download Submit