Analysis Overview
SHA256
6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
Threat Level: Known bad
The file KMS.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
NetWire RAT payload
Modifies WinLogon for persistence
Turns off Windows Defender SpyNet reporting
Modifies Windows Defender Real-time Protection settings
Netwire
Checks computer location settings
Windows security modification
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-13 17:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-13 17:09
Reported
2023-09-13 17:11
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe\"" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Turns off Windows Defender SpyNet reporting
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5104 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c timeout 5
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KMS.exe" -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5104 -ip 5104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2204
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/5104-0-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5104-1-0x0000000000670000-0x0000000000822000-memory.dmp
memory/5104-2-0x00000000056C0000-0x0000000005C64000-memory.dmp
memory/5104-3-0x0000000005200000-0x000000000529C000-memory.dmp
memory/5104-4-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2200-6-0x0000000004B00000-0x0000000004B36000-memory.dmp
memory/2200-7-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1424-8-0x0000000005AE0000-0x0000000006108000-memory.dmp
memory/1424-9-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2200-10-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/1424-11-0x0000000003120000-0x0000000003130000-memory.dmp
memory/1424-12-0x0000000003120000-0x0000000003130000-memory.dmp
memory/4696-15-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/1424-14-0x0000000005AB0000-0x0000000005AD2000-memory.dmp
memory/4696-13-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4696-16-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/320-17-0x0000000002470000-0x0000000002480000-memory.dmp
memory/1424-19-0x0000000006180000-0x00000000061E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsguoku2.cjh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2200-26-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/5104-40-0x0000000005550000-0x0000000005560000-memory.dmp
memory/2200-25-0x0000000005A50000-0x0000000005AB6000-memory.dmp
memory/320-18-0x0000000002470000-0x0000000002480000-memory.dmp
memory/320-41-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/320-60-0x0000000005DC0000-0x0000000005DDE000-memory.dmp
memory/2200-61-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/320-62-0x0000000002470000-0x0000000002480000-memory.dmp
memory/1424-63-0x0000000003120000-0x0000000003130000-memory.dmp
memory/2200-64-0x000000007F730000-0x000000007F740000-memory.dmp
memory/2200-65-0x0000000007230000-0x0000000007262000-memory.dmp
memory/320-69-0x000000007F9E0000-0x000000007F9F0000-memory.dmp
memory/1424-70-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/2200-68-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/4696-67-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/4696-66-0x000000007FBC0000-0x000000007FBD0000-memory.dmp
memory/4696-85-0x00000000070F0000-0x000000000710E000-memory.dmp
memory/320-99-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/2200-100-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1424-110-0x000000007F690000-0x000000007F6A0000-memory.dmp
memory/2200-111-0x0000000007A00000-0x000000000807A000-memory.dmp
memory/1424-112-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
memory/1424-113-0x0000000007C20000-0x0000000007C2A000-memory.dmp
memory/1424-114-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4696-115-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2200-117-0x0000000007660000-0x00000000076F6000-memory.dmp
memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1472-119-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2200-120-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/1424-121-0x0000000003120000-0x0000000003130000-memory.dmp
memory/1424-122-0x0000000003120000-0x0000000003130000-memory.dmp
memory/4696-123-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/4696-124-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/320-125-0x0000000002470000-0x0000000002480000-memory.dmp
memory/1472-127-0x0000000000400000-0x0000000000434000-memory.dmp
memory/320-126-0x0000000002470000-0x0000000002480000-memory.dmp
memory/5104-129-0x0000000005550000-0x0000000005560000-memory.dmp
memory/2200-128-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/320-131-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/320-130-0x0000000007320000-0x000000000732E000-memory.dmp
memory/320-132-0x0000000007430000-0x000000000744A000-memory.dmp
memory/4696-133-0x00000000075D0000-0x00000000075D8000-memory.dmp
memory/5104-134-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c10f420b63dc6e7609d5e453e03c1447 |
| SHA1 | 94623bca1fb9455c6787d5c94650a1abefa93a61 |
| SHA256 | 856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916 |
| SHA512 | 32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c10f420b63dc6e7609d5e453e03c1447 |
| SHA1 | 94623bca1fb9455c6787d5c94650a1abefa93a61 |
| SHA256 | 856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916 |
| SHA512 | 32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c10f420b63dc6e7609d5e453e03c1447 |
| SHA1 | 94623bca1fb9455c6787d5c94650a1abefa93a61 |
| SHA256 | 856b9a9d4a68021f97978b71b112099422a328b5410350d36eeb243aac93a916 |
| SHA512 | 32b967c1e78f7d0dcb38a4601dc720eb030bfafc00b4062d4025853239e2d02595ed352abaf51cb63426bd0a0086c1bb4453f7a2568be6bbd44bb6d90ab729f7 |
memory/1424-142-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/320-143-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4696-145-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2200-144-0x0000000074D20000-0x00000000754D0000-memory.dmp