8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe
Size

2.8MB
MD5

401c2f825f97ecb9077d2acfe9384882
SHA1

ee8b2cbd24a24bd21bb5e08b0a1e6b053e2f2a0d
SHA256

8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806
SHA512

7cf95c01213824553e6f2bc90222da3b82072f17c01b09fe9a10200f9fce5b421b6905a44bb72d7528b1d0d7dbd67671ef9df6dee9fe2aece9f1328a162aced2
SSDEEP

49152:psFlmAWAdQTfj6Ya9p3aa70BsFC23M7u14O7/Vp5FXVzEq8Ft/ObqftevYRMxDd+:pssAdQ7j6D6gxKKxj3FAt2G13RMJ6Wbk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1920	7Z.EXE
888	kms_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe
1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe
1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1856-54-0x0000000000400000-0x00000000004E1000-memory.dmp	autoit_exe
behavioral1/files/0x000500000001a4b2-360.dat	autoit_exe
behavioral1/files/0x000500000001a4b2-362.dat	autoit_exe
behavioral1/files/0x000500000001a4b2-363.dat	autoit_exe
behavioral1/memory/1856-368-0x0000000000400000-0x00000000004E1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	kms_x64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1920	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	28
PID 1856 wrote to memory of 1920	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	28
PID 1856 wrote to memory of 1920	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	28
PID 1856 wrote to memory of 1920	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	28
PID 1856 wrote to memory of 888	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	30
PID 1856 wrote to memory of 888	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	30
PID 1856 wrote to memory of 888	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	30
PID 1856 wrote to memory of 888	1856	8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe	30

C:\Users\Admin\AppData\Local\Temp\8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe
"C:\Users\Admin\AppData\Local\Temp\8492fd05f95a175e584193bf1dc722ca03fde5eb3e989d6a6b235d0787736806.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\7Z.EXE
  C:\Users\Admin\AppData\Local\Temp\7Z.EXE x C:\Users\Admin\AppData\Local\Temp\KMSmini.7z -y -oC:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\kms_x64.exe
  C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\kms_x64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7Z.EXE

Filesize
491KB

MD5
29849e01bded09e70dd9ae1998437262

SHA1
3fd2ab128be6f2d14911f3cea958fee769a83008

SHA256
7fff51a6e365b6b011ea102e2cc3854f5b2af07e41c1ef1c20290c29af81737f

SHA512
201aa7e4bfc57e7c32501338c49c290315c9a86393cf47a602d3c166ce619e0341dafb3ae9260aa1a3ff2df913a7785d83deb762b9b0515ae27ae9c1be245f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Z.EXE

Filesize
491KB

MD5
29849e01bded09e70dd9ae1998437262

SHA1
3fd2ab128be6f2d14911f3cea958fee769a83008

SHA256
7fff51a6e365b6b011ea102e2cc3854f5b2af07e41c1ef1c20290c29af81737f

SHA512
201aa7e4bfc57e7c32501338c49c290315c9a86393cf47a602d3c166ce619e0341dafb3ae9260aa1a3ff2df913a7785d83deb762b9b0515ae27ae9c1be245f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\ICO_211.ico

Filesize
24KB

MD5
a34b091d72dd83be4f300b570c0c175e

SHA1
974d91c4a050c3ccfbb7484972309b7b090cfc50

SHA256
579363073461a4a702e682d89dcf42ce392b5af4b46617c91318bc1f246a9638

SHA512
d8a64389dd4c40a98daa71383b4e6ce6d3bc5630c1edcec7bdceed56ef9fd0ad3605e5b7308215c8bbacd2bd85077a7ffe37f43c4cf79c2b8a40f67ebca6576d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\ICO_221.ico

Filesize
24KB

MD5
018271869383cc781b19ec676f1c1572

SHA1
1377965e825f084d3cf88e0d1955e8dd0a1f6f8c

SHA256
70158667501fa9b2f248e7ee678f7dac76bd67a7c23ef3800db254a91d8fed9a

SHA512
bee067389227fcea7f00436425d2045d0da90e54aa16a4a123b201951832fe68c6677c86639bacd2d369d349e2b138a27794f5ee12dfe2e37f783ecacf60ffd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms

Filesize
3KB

MD5
33c1695d278f5917f28067d27b4868ee

SHA1
55137aa9a24d6a622f05315dfbb65fb1a0c74e03

SHA256
65bccc008f5b44d2dbd880c0c33afcfff27c07dd24dc0cc7dda2b3bfa7e9ae74

SHA512
84389ef315ff2f9d86062470ea6033dcb409a3061b898ab677987aa881e2f6d4be1dacc4fad0c606dde6a301f04dfa2f1ff54af86e3a3767ab9bcf6ac368e2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms

Filesize
3KB

MD5
9f3ef531d89e4208085e96150cfbbe16

SHA1
430dd2245a5d5c6e3bb4038b19127e599ec1d889

SHA256
3acae6e8f6680b3c66189f4fe78b492fa4a2ba472f0d34bd92a13a72ceaf60e1

SHA512
e0e8cc1c3e637260170e144cf910ddc150082246f9980fd1f642b0ef824efa73c41e4e789a9bf5aa057ced758b4a7c64478d8f94bbfca91fc7fd033d9b83b77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms

Filesize
3KB

MD5
6cd265f74e9042ba418f212c6e6b390e

SHA1
12168c357c14725104b7597f7273d503153a47b9

SHA256
e26e6bd36f54c8dec33070aecd9002e20815c8bc443a1a43e97bb7b83743918a

SHA512
deabe6e6bbafce6daa6bd87ecace41f3fadddd397fb376253d87339fdf9890009a650efc01f5741367d40eb2cde6248c36f36c6a501c781c4e383278d9053de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms

Filesize
3KB

MD5
f4e9cef1a484fcd9da8384551c063d03

SHA1
0eaaab4ca48f93d511c6c99ac658ce3ca5e961a4

SHA256
de16e707372f7576693262ff31592c9c4bd70e2887c23014d388afbbb959b0b2

SHA512
7735bf2b1af63696a8533a46f707c4b599222a545c047487f4122b1a2d904b9a5ffca19bac958986ab1b853a9f8a262426f721a43542c85787ca2e857426f450

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms

Filesize
4KB

MD5
35d84d2089fb9cc1e6ae40ddbacd4881

SHA1
2edc9e476c313373aac8cf66fed401fe1305b924

SHA256
df562c760f6508c14df7749a220215f1498d76a811e3510be65ff251b51b73a1

SHA512
3eeccc8de4fa0cdeaa78faed4526f56fc2de4b85162f0ffb851bcb91d789d2f5aac6ba98dd1d37a238659667a8b440145e0f2bf9fee955329f39eea43a737d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms

Filesize
4KB

MD5
2bdddff33b396016a034ea21e9d06a54

SHA1
c0d71f5d4c8f1469a7970619e1abd47ea519e972

SHA256
8ca125c11b020e60c226b27948cd6968d6d95a651230ee169403ec09c21a9f12

SHA512
d64faa9e076f51e225adf20e73e640c470c4bc5d0b177c2a968e0cc8ec4ea6ec72e9df80f544fa22b700f2cf12405ca3bf88b8c1a23d8092195eef14d71b70a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\cert\kmscert2013\visiopro\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms

Filesize
469KB

MD5
22bb6d79ac6f5a39f95252e934fd6af9

SHA1
883bea18dbafdfbd1fd86806eb2b21d017bf5d96

SHA256
2bc8aa6ed6643fa7d9135453331c33b05f8733cebd4a8b2fd7bdd71775748e02

SHA512
9ba389e335a81e1740509ae8db6615f193bba9e94c06ffc93b0885502bcc60a6c8500f451eabb3bad9b5d4660d472e630a282db29f9f219951abf96507035945

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\kms_x64.exe

Filesize
843KB

MD5
fc73f623f7bd519d2a3349ef3b2fe682

SHA1
42eb748277f7c501d378a88079740961d4ed906f

SHA256
63ec79b1cb7e72cf59e692d6626ca6929554ca977f948cf520a9e940a09b45b2

SHA512
e66260fc66ad26c4c281659ffc24fd3bd75d1ca1414fd09cc27c6b02859cfab35c1633ff1c535d35abba27bda48d7735938e0a6b98a015bbabbba4d9872171e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\kms_x64.exe

Filesize
843KB

MD5
fc73f623f7bd519d2a3349ef3b2fe682

SHA1
42eb748277f7c501d378a88079740961d4ed906f

SHA256
63ec79b1cb7e72cf59e692d6626ca6929554ca977f948cf520a9e940a09b45b2

SHA512
e66260fc66ad26c4c281659ffc24fd3bd75d1ca1414fd09cc27c6b02859cfab35c1633ff1c535d35abba27bda48d7735938e0a6b98a015bbabbba4d9872171e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\left.jpg

Filesize
2KB

MD5
a19310fde49bedc57b9a3b15ac12c7ca

SHA1
4cb249d62ccda681dfbd8fd898ffc9d428dd9710

SHA256
606f8a834ac0570de63b1dc3f7235f05e333338e8de5e5774c76caa1c338cef9

SHA512
3e6f425e848b2ab246c9f188c7adb769e952b46d948ee4e5dae4aebdd099325e3aa94529998c1e1e794cfbf83bf89091a18c8ca0e16dd6a3b39d27c0849f2be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\theme.jpg

Filesize
3KB

MD5
8106fe4184c10cd16e50d7d991faad53

SHA1
6f0424df7d885933489535780e7a405f51e0df1e

SHA256
cd78691dfe096dc99d2a46c921884922511616937efe51018eaf500c8c77314a

SHA512
117030f208d3a8b110b932e300ea13abdff5498e1263639a714a2e3319b53145b1d0763364c6e4b036057df84cfd45ce68515cde9cdf6c1d09a6d1eb83cbcc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSmini.7z

Filesize
1.7MB

MD5
04fa564e066f949a1da509726080c464

SHA1
4ece3ea18315366ac67862d48f0ee24b9767ac50

SHA256
287a7b4622742868cce663e02f19a5ce01d36b0120a26ef9d6b1d1007f31da7d

SHA512
7d058bd189026b61cf52b6e48e4673516f90c5fad061df7b078479d023212de99bf561e8cf2513e888ab3a5ce6ba696d9260af84b11e8b01a8686f3421d7e9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSmini.7z

Filesize
1.7MB

MD5
04fa564e066f949a1da509726080c464

SHA1
4ece3ea18315366ac67862d48f0ee24b9767ac50

SHA256
287a7b4622742868cce663e02f19a5ce01d36b0120a26ef9d6b1d1007f31da7d

SHA512
7d058bd189026b61cf52b6e48e4673516f90c5fad061df7b078479d023212de99bf561e8cf2513e888ab3a5ce6ba696d9260af84b11e8b01a8686f3421d7e9eb

Download Submit
\Users\Admin\AppData\Local\Temp\7Z.EXE

Filesize
491KB

MD5
29849e01bded09e70dd9ae1998437262

SHA1
3fd2ab128be6f2d14911f3cea958fee769a83008

SHA256
7fff51a6e365b6b011ea102e2cc3854f5b2af07e41c1ef1c20290c29af81737f

SHA512
201aa7e4bfc57e7c32501338c49c290315c9a86393cf47a602d3c166ce619e0341dafb3ae9260aa1a3ff2df913a7785d83deb762b9b0515ae27ae9c1be245f39

Download Submit
\Users\Admin\AppData\Local\Temp\7Z.EXE

Filesize
491KB

MD5
29849e01bded09e70dd9ae1998437262

SHA1
3fd2ab128be6f2d14911f3cea958fee769a83008

SHA256
7fff51a6e365b6b011ea102e2cc3854f5b2af07e41c1ef1c20290c29af81737f

SHA512
201aa7e4bfc57e7c32501338c49c290315c9a86393cf47a602d3c166ce619e0341dafb3ae9260aa1a3ff2df913a7785d83deb762b9b0515ae27ae9c1be245f39

Download Submit
\Users\Admin\AppData\Local\Temp\HEU_KMS_Mini_77\kms_x64.exe

Filesize
843KB

MD5
fc73f623f7bd519d2a3349ef3b2fe682

SHA1
42eb748277f7c501d378a88079740961d4ed906f

SHA256
63ec79b1cb7e72cf59e692d6626ca6929554ca977f948cf520a9e940a09b45b2

SHA512
e66260fc66ad26c4c281659ffc24fd3bd75d1ca1414fd09cc27c6b02859cfab35c1633ff1c535d35abba27bda48d7735938e0a6b98a015bbabbba4d9872171e3

Download Submit
memory/1856-54-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1856-368-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download