Analysis Overview
SHA256
6d880189693cf93dd4ca145b0d3cc8e9295da375654d04ea68a5f67c9f62ae87
Threat Level: Known bad
The file KMS.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
NetWire RAT payload
Netwire
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Windows security modification
Checks computer location settings
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Program crash
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-14 03:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-14 03:43
Reported
2023-10-14 19:39
Platform
win7-20230831-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe\"" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\KMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2472 set thread context of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c timeout 5
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KMS.exe" -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
Files
memory/2472-0-0x0000000000800000-0x00000000009B2000-memory.dmp
memory/2472-1-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2472-2-0x0000000000360000-0x00000000003A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d0fe366dcc34bf4989a6941d26f6019b |
| SHA1 | 53b2b818667f7d16eb0a0d75b3e9bebd535f16ec |
| SHA256 | 28cd83783f159eb575a52c3531ce0d99373710e8c4bd205e966f7caa6df12972 |
| SHA512 | a7b233de8c81d00158faf80f830b5f195d56fad93b341d798f6a6f426560d149a4ee74a367a316cc023f2fac793307fa26f0eb273e73f1e7bc4a80e37baa3eda |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7QQMGCMPO65W7D5FL1C.temp
| MD5 | d0fe366dcc34bf4989a6941d26f6019b |
| SHA1 | 53b2b818667f7d16eb0a0d75b3e9bebd535f16ec |
| SHA256 | 28cd83783f159eb575a52c3531ce0d99373710e8c4bd205e966f7caa6df12972 |
| SHA512 | a7b233de8c81d00158faf80f830b5f195d56fad93b341d798f6a6f426560d149a4ee74a367a316cc023f2fac793307fa26f0eb273e73f1e7bc4a80e37baa3eda |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d0fe366dcc34bf4989a6941d26f6019b |
| SHA1 | 53b2b818667f7d16eb0a0d75b3e9bebd535f16ec |
| SHA256 | 28cd83783f159eb575a52c3531ce0d99373710e8c4bd205e966f7caa6df12972 |
| SHA512 | a7b233de8c81d00158faf80f830b5f195d56fad93b341d798f6a6f426560d149a4ee74a367a316cc023f2fac793307fa26f0eb273e73f1e7bc4a80e37baa3eda |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d0fe366dcc34bf4989a6941d26f6019b |
| SHA1 | 53b2b818667f7d16eb0a0d75b3e9bebd535f16ec |
| SHA256 | 28cd83783f159eb575a52c3531ce0d99373710e8c4bd205e966f7caa6df12972 |
| SHA512 | a7b233de8c81d00158faf80f830b5f195d56fad93b341d798f6a6f426560d149a4ee74a367a316cc023f2fac793307fa26f0eb273e73f1e7bc4a80e37baa3eda |
memory/2680-21-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2904-22-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2800-23-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2680-24-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2680-25-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2904-26-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2872-27-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2872-28-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2800-29-0x0000000002710000-0x0000000002750000-memory.dmp
memory/2904-30-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2472-31-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2904-32-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2680-33-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2872-34-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2872-35-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2872-36-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2472-37-0x0000000006580000-0x00000000065C0000-memory.dmp
memory/2800-38-0x0000000002710000-0x0000000002750000-memory.dmp
memory/2904-39-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2872-40-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2904-41-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2800-42-0x0000000002710000-0x0000000002750000-memory.dmp
memory/2872-43-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2680-44-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2904-45-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2800-46-0x0000000002710000-0x0000000002750000-memory.dmp
memory/2904-48-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2872-47-0x0000000002730000-0x0000000002770000-memory.dmp
memory/2800-49-0x0000000002710000-0x0000000002750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabEC54.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarEC95.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2680-86-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2904-85-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2872-84-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2800-87-0x000000006FB80000-0x000000007012B000-memory.dmp
memory/2300-88-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-90-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-92-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-97-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-96-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-94-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-101-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2300-99-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-105-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-108-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2300-107-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-109-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2472-158-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2300-159-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-14 03:43
Reported
2023-10-14 19:37
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe\"" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Turns off Windows Defender SpyNet reporting
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KMS.exe = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMS.exe" | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4340 set thread context of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\KMS.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KMS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c timeout 5
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KMS.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KMS.exe" -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 2216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | haija.mine.nu | udp |
| NL | 45.81.39.46:1338 | haija.mine.nu | tcp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4340-1-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4340-0-0x0000000000960000-0x0000000000B12000-memory.dmp
memory/4340-2-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/4340-3-0x00000000054C0000-0x000000000555C000-memory.dmp
memory/4340-4-0x0000000004F40000-0x0000000004F86000-memory.dmp
memory/4340-5-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2728-7-0x00000000048A0000-0x00000000048D6000-memory.dmp
memory/2728-10-0x0000000004F30000-0x0000000005558000-memory.dmp
memory/2728-9-0x00000000048F0000-0x0000000004900000-memory.dmp
memory/2728-8-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4680-11-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2808-15-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/2808-14-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/580-16-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/4340-17-0x0000000007820000-0x0000000007830000-memory.dmp
memory/4680-13-0x0000000002400000-0x0000000002410000-memory.dmp
memory/4680-12-0x0000000002400000-0x0000000002410000-memory.dmp
memory/2808-19-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4680-18-0x0000000004D00000-0x0000000004D22000-memory.dmp
memory/580-32-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4680-31-0x00000000056C0000-0x0000000005726000-memory.dmp
memory/580-30-0x0000000005D20000-0x0000000005D86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5qhtb44t.e1y.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4680-50-0x00000000058E0000-0x0000000005C34000-memory.dmp
memory/2728-60-0x0000000005E60000-0x0000000005E7E000-memory.dmp
memory/2728-61-0x0000000005EA0000-0x0000000005EEC000-memory.dmp
memory/2728-63-0x00000000048F0000-0x0000000004900000-memory.dmp
memory/4680-64-0x0000000002400000-0x0000000002410000-memory.dmp
memory/580-62-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/580-65-0x00000000075D0000-0x0000000007602000-memory.dmp
memory/2728-78-0x0000000006DF0000-0x0000000006E0E000-memory.dmp
memory/2728-66-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/580-90-0x0000000007610000-0x00000000076B3000-memory.dmp
memory/580-80-0x000000007F320000-0x000000007F330000-memory.dmp
memory/2728-100-0x000000007F580000-0x000000007F590000-memory.dmp
memory/4680-79-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/2728-101-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/580-68-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/2808-102-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/4680-103-0x000000007F0D0000-0x000000007F0E0000-memory.dmp
memory/4680-67-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2808-105-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/4680-104-0x0000000002400000-0x0000000002410000-memory.dmp
memory/580-107-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2808-106-0x000000006FF30000-0x000000006FF7C000-memory.dmp
memory/2728-117-0x00000000077E0000-0x0000000007E5A000-memory.dmp
memory/2808-119-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2808-120-0x000000007FC10000-0x000000007FC20000-memory.dmp
memory/4680-118-0x0000000006FF0000-0x000000000700A000-memory.dmp
memory/3612-121-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4680-122-0x0000000007060000-0x000000000706A000-memory.dmp
memory/3612-124-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2728-125-0x00000000048F0000-0x0000000004900000-memory.dmp
memory/4340-126-0x0000000007820000-0x0000000007830000-memory.dmp
memory/3612-128-0x0000000000400000-0x0000000000434000-memory.dmp
memory/580-127-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4680-129-0x0000000007270000-0x0000000007306000-memory.dmp
memory/2728-130-0x0000000006180000-0x0000000006191000-memory.dmp
memory/2728-131-0x00000000073D0000-0x00000000073DE000-memory.dmp
memory/2728-132-0x00000000073E0000-0x00000000073F4000-memory.dmp
memory/2728-133-0x00000000074E0000-0x00000000074FA000-memory.dmp
memory/2728-134-0x00000000074C0000-0x00000000074C8000-memory.dmp
memory/4340-135-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 76634d4461f3b1bc99190b155a9a2bfd |
| SHA1 | 62230c27fd0a26751c21ab675d11c8926a4c214a |
| SHA256 | 5c51ff5ef3cf917a6c2a09b19d967b9fc76a2f5f8d9dd60aaadcc1f0b4caf7ff |
| SHA512 | 7b60daf3cf99983bb19605901318c779ba630360add0db1f3456af2aaaa6c4136f8f5de0da6d3b471e4fa1134cbd1fbb65a139f3c04c032a67f322b8bb70c627 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/580-141-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10853cc828304f87afbdac64319dc130 |
| SHA1 | fc15902bbc601203aaa652bde0443bfc71bfe5b2 |
| SHA256 | 1b03088baeae80f32aa86885017c17c81dcac374588eb13678d9754453446dab |
| SHA512 | 7d1ff967de78cea74bcb8034036e4b00ab01af10ea0cf8946db72558437fd770de718283ad79a761c8c8cb70fbf19dfbe6ada46faaabe314d9838a2ddfc8addf |
memory/2808-144-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2728-145-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba67fc9dcacac8b3787860618b9d7954 |
| SHA1 | 19b83d27cc6fc1a7781401a421452525d567882c |
| SHA256 | 7581b9d7499cf937a90248449922e6a0760dfce3314e086ba06d03a6f98dbb63 |
| SHA512 | 3743421c7c1ee65b4e1fa1d5f13658dea00fe401df51ff5ab4f1ec0f9db789e68988f7f87a2382291c2829a422ecc42e8b6fa7a7e40a03250de480013814c7b5 |
memory/4680-148-0x0000000074EE0000-0x0000000075690000-memory.dmp