b33446c034b136943f42d3b866b7d06f64661fb2cb08f3f1b7baed15a343db1e

Analysis

max time kernel
171s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS 360 Pro - Portable.exe
Size

36.8MB
MD5

9205de4d5675a029ac637ea085e63004
SHA1

da3068f9fc9758c5432a433ea45a630241171912
SHA256

f5dff9fd21c0217b96c4a862fd10d751ab89288a4ae2150dbd1a4e22bb929af8
SHA512

b5136067de412e8636308c8776b8aefb9daead5b9576bd52c29cd8543c1ff057337dfbd1675cbeab933c1aa90399c8dd82ed81459c0f9b8b9023dfca02b4f9a8
SSDEEP

393216:FuHgV5HLNDFBPsY4XBDszxkqWAOfraPJZEnEwNo8h7ILw:FuK5HlFNGBDszaqWAOfraPJZ0EwSGIL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	KMS 360 Pro - Portable.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe
4880	KMS 360 Pro - Portable.exe

C:\Users\Admin\AppData\Local\Temp\KMS 360 Pro - Portable.exe
"C:\Users\Admin\AppData\Local\Temp\KMS 360 Pro - Portable.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\257c2e00586a0231.customDestinations-ms

Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
memory/4880-8-0x000002A82E570000-0x000002A82E8CA000-memory.dmp

Filesize
3.4MB

Download
memory/4880-10-0x000002A82FDE0000-0x000002A82FE3A000-memory.dmp

Filesize
360KB

Download
memory/4880-3-0x00007FF800F90000-0x00007FF801A51000-memory.dmp

Filesize
10.8MB

Download
memory/4880-4-0x000002A82D1E0000-0x000002A82DAC2000-memory.dmp

Filesize
8.9MB

Download
memory/4880-5-0x000002A82DAC0000-0x000002A82E0B6000-memory.dmp

Filesize
6.0MB

Download
memory/4880-6-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download
memory/4880-2-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download
memory/4880-7-0x000002A82E0C0000-0x000002A82E572000-memory.dmp

Filesize
4.7MB

Download
memory/4880-9-0x000002A82E8D0000-0x000002A82EE30000-memory.dmp

Filesize
5.4MB

Download
memory/4880-0-0x000002A810620000-0x000002A812AEA000-memory.dmp

Filesize
36.8MB

Download
memory/4880-11-0x000002A830170000-0x000002A8301A8000-memory.dmp

Filesize
224KB

Download
memory/4880-16-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download
memory/4880-1-0x00007FF800F90000-0x00007FF801A51000-memory.dmp

Filesize
10.8MB

Download
memory/4880-47-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download
memory/4880-48-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download
memory/4880-49-0x000002A814750000-0x000002A814760000-memory.dmp

Filesize
64KB

Download