fd88ca3df8d66708e121b661fc3028fd0dfc275e88c64b8ed34b0b9b9c04b6d2

Analysis

max time kernel
131s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activator/KMSAuto/KMSAUTO.exe
Size

6.2MB
MD5

aa2aa549dc7c6c91ab61a06fa5a6c4e8
SHA1

03cb8a9599d4e1e9ad4ccc23b644bbbfc41178eb
SHA256

b4523b3fb41f739a59b55a955801037afccd193b8cc78e02f3ed1cefc6cb1680
SHA512

53c7c5c9015bff6a9e5e2690bb3b6d7cfa13f1ad9b197aac2a75a3685d57f466cfc1b73a6dbc7a01f2ce688a4ae54776e02c5ab2fe164f83aac9a7b95d549e31
SSDEEP

196608:TAywxyw7iywnNywwywHywWywbywmIiyw7Lzz:TdwMw7fwwwtwSwLwewhw7Lzz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1316	bin.dat
4916	wzt.dat
4984	certmgr.exe
3740	certmgr.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1528	4028	KMSAUTO.exe	95
PID 4028 wrote to memory of 1528	4028	KMSAUTO.exe	95
PID 4028 wrote to memory of 1048	4028	KMSAUTO.exe	99
PID 4028 wrote to memory of 1048	4028	KMSAUTO.exe	99
PID 1048 wrote to memory of 1316	1048	cmd.exe	101
PID 1048 wrote to memory of 1316	1048	cmd.exe	101
PID 1048 wrote to memory of 1316	1048	cmd.exe	101
PID 4028 wrote to memory of 4424	4028	KMSAUTO.exe	102
PID 4028 wrote to memory of 4424	4028	KMSAUTO.exe	102
PID 4424 wrote to memory of 4916	4424	cmd.exe	104
PID 4424 wrote to memory of 4916	4424	cmd.exe	104
PID 4424 wrote to memory of 4916	4424	cmd.exe	104
PID 4028 wrote to memory of 2024	4028	KMSAUTO.exe	105
PID 4028 wrote to memory of 2024	4028	KMSAUTO.exe	105
PID 2024 wrote to memory of 4984	2024	cmd.exe	107
PID 2024 wrote to memory of 4984	2024	cmd.exe	107
PID 2024 wrote to memory of 4984	2024	cmd.exe	107
PID 4028 wrote to memory of 652	4028	KMSAUTO.exe	108
PID 4028 wrote to memory of 652	4028	KMSAUTO.exe	108
PID 652 wrote to memory of 3740	652	cmd.exe	110
PID 652 wrote to memory of 3740	652	cmd.exe	110
PID 652 wrote to memory of 3740	652	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.exe
"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\Temp\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c wzt.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\Temp\KMSAuto\wzt.dat
    wzt.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:4916
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Temp\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:4984
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\Temp\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\KMSAuto\bin.dat

Filesize
166KB

MD5
ca62d4125a24ea98f90b8d7b7c92801b

SHA1
72f50ecc667713b8f357a048a6f621664fd1e361

SHA256
9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

SHA512
ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

Download Submit
C:\Windows\Temp\KMSAuto\bin.dat

Filesize
166KB

MD5
ca62d4125a24ea98f90b8d7b7c92801b

SHA1
72f50ecc667713b8f357a048a6f621664fd1e361

SHA256
9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

SHA512
ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

Download Submit
C:\Windows\Temp\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\Windows\Temp\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\wzt.cer

Filesize
488B

MD5
4bf5bfbb3caf16c6125df0e10ee60d18

SHA1
f81f111d0e5ab58d396f7bf525577fd30fdc95aa

SHA256
b3db601b90499d6d5d7cd954ca36a907abb6ae649b5439ab2bca93e2e026fe9f

SHA512
0e0cabb6135d50134c53c0f13a4dc242bf686163498318e88fc1f419b3858ac58abcb26f0fa1c476b2005551ae882d50f86acf71b5b0be914ae68dcb935ff765

Download Submit