Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    190s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 14:32

General

  • Target

    Activator/ActivationNextBoot.cmd

  • Size

    1KB

  • MD5

    c99d72a4e9bc43543aac21da48e99aac

  • SHA1

    949edb7bac0cae8113eb34ada56b572d83f9f39b

  • SHA256

    ea68e8f2a77b3c180734927c2be02e3452de5fbd9c4b60e3d703ad5ab088e0a0

  • SHA512

    ea4312b6f9f2d61389d3dc743fea66a5de8083153bc82df2c4e5002518a48e8d162803027223889ebd8ae1b0adcc3e1fcd4b523c2a321497e64f6dbd1955f7ae

Score
8/10

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\system32\cscript.exe
      CSCRIPT C:\Windows\system32\slmgr.vbs -dli
      2⤵
        PID:1708
      • C:\Windows\system32\findstr.exe
        FINDSTR "Licensed ½¿µÑ¡º¿ε"
        2⤵
          PID:3600
        • C:\Windows\system32\reg.exe
          REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
          2⤵
            PID:2776
          • C:\Windows\system32\findstr.exe
            FINDSTR /i 10
            2⤵
              PID:3412
            • C:\Windows\system32\reg.exe
              REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
              2⤵
                PID:1264
              • C:\Windows\system32\findstr.exe
                FINDSTR /i "Professional"
                2⤵
                  PID:4412
                • C:\Windows\system32\cscript.exe
                  CSCRIPT slmgr /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
                  2⤵
                    PID:3800
                  • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE
                    "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /win=act
                    2⤵
                      PID:4844
                    • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE
                      "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /ofs=act /ofsgvlk=inst /ofs=conv
                      2⤵
                      • Sets service image path in registry
                      • Suspicious use of WriteProcessMemory
                      PID:3128
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
                        3⤵
                          PID:5112
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:424
                          • C:\Windows\system32\cscript.exe
                            cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                            4⤵
                              PID:4784
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4376
                            • C:\Windows\Temp\KMSAuto\bin.dat
                              bin.dat -y -pkmsauto
                              4⤵
                              • Executes dropped EXE
                              PID:1588
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4848
                            • C:\Windows\system32\netsh.exe
                              Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                              4⤵
                              • Modifies Windows Firewall
                              PID:3568
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1792
                            • C:\Windows\system32\netsh.exe
                              Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                              4⤵
                              • Modifies Windows Firewall
                              PID:4996
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5016
                            • C:\Windows\system32\sc.exe
                              sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                              4⤵
                              • Launches sc.exe
                              PID:1600
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4312
                            • C:\Windows\system32\sc.exe
                              sc.exe start KMSEmulator
                              4⤵
                              • Launches sc.exe
                              PID:3344
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4264
                            • C:\Windows\Temp\KMSAuto\bin_x64.dat
                              bin_x64.dat -y -pkmsauto
                              4⤵
                              • Executes dropped EXE
                              PID:1164
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 74.117.62.140 0.0.0.0 IF 1
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2304
                            • C:\Windows\system32\ROUTE.EXE
                              route.exe -p add 74.117.62.140 0.0.0.0 IF 1
                              4⤵
                                PID:3860
                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe
                              "FakeClient.exe" 74.117.62.140
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in Windows directory
                              PID:3800
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:74.117.62.140 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4124
                              • C:\Windows\system32\cscript.exe
                                cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:74.117.62.140 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                                4⤵
                                  PID:4852
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
                                3⤵
                                  PID:2564
                                  • C:\Windows\system32\sc.exe
                                    sc.exe stop KMSEmulator
                                    4⤵
                                    • Launches sc.exe
                                    PID:2264
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
                                  3⤵
                                    PID:3464
                                    • C:\Windows\system32\sc.exe
                                      sc.exe delete KMSEmulator
                                      4⤵
                                      • Launches sc.exe
                                      PID:500
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\Sysnative\cmd.exe" /c route delete 74.117.62.140 0.0.0.0
                                    3⤵
                                      PID:4016
                                      • C:\Windows\system32\ROUTE.EXE
                                        route delete 74.117.62.140 0.0.0.0
                                        4⤵
                                          PID:2816
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe
                                        3⤵
                                          PID:4552
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill.exe /t /f /IM FakeClient.exe
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2136
                                        • C:\Windows\system32\cmd.exe
                                          "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.1
                                          3⤵
                                            PID:4368
                                            • C:\Windows\system32\sc.exe
                                              sc.exe stop WinDivert1.1
                                              4⤵
                                              • Launches sc.exe
                                              PID:1628
                                          • C:\Windows\system32\cmd.exe
                                            "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.1
                                            3⤵
                                              PID:2532
                                              • C:\Windows\system32\sc.exe
                                                sc.exe delete WinDivert1.1
                                                4⤵
                                                • Launches sc.exe
                                                PID:2820
                                            • C:\Windows\system32\cmd.exe
                                              "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                              3⤵
                                                PID:4408
                                                • C:\Windows\system32\netsh.exe
                                                  Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                                  4⤵
                                                  • Modifies Windows Firewall
                                                  PID:3560
                                              • C:\Windows\system32\cmd.exe
                                                "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                                3⤵
                                                  PID:3668
                                                  • C:\Windows\system32\netsh.exe
                                                    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                                    4⤵
                                                    • Modifies Windows Firewall
                                                    PID:3724
                                            • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe
                                              "C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E
                                              1⤵
                                              • Executes dropped EXE
                                              PID:2388

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Windows\Temp\KMSAuto\bin.dat

                                              Filesize

                                              166KB

                                              MD5

                                              ca62d4125a24ea98f90b8d7b7c92801b

                                              SHA1

                                              72f50ecc667713b8f357a048a6f621664fd1e361

                                              SHA256

                                              9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                              SHA512

                                              ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                            • C:\Windows\Temp\KMSAuto\bin.dat

                                              Filesize

                                              166KB

                                              MD5

                                              ca62d4125a24ea98f90b8d7b7c92801b

                                              SHA1

                                              72f50ecc667713b8f357a048a6f621664fd1e361

                                              SHA256

                                              9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                              SHA512

                                              ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                            • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                              Filesize

                                              34KB

                                              MD5

                                              be3f826075408b5d6ae7b66a55b4a520

                                              SHA1

                                              cb2f05c14c75e140dcf68de310be1e9527f8193d

                                              SHA256

                                              9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                              SHA512

                                              295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                            • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                              Filesize

                                              34KB

                                              MD5

                                              be3f826075408b5d6ae7b66a55b4a520

                                              SHA1

                                              cb2f05c14c75e140dcf68de310be1e9527f8193d

                                              SHA256

                                              9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                              SHA512

                                              295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                            • C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs

                                              Filesize

                                              82KB

                                              MD5

                                              1e279e2ef92662bded2c7fd781306a73

                                              SHA1

                                              70da7979881b6a3b78c655b08de3c2aad8e60a10

                                              SHA256

                                              a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a

                                              SHA512

                                              8afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                              Filesize

                                              13KB

                                              MD5

                                              91b75bcf59b2de235214ed47be8a99a5

                                              SHA1

                                              03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                              SHA256

                                              b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                              SHA512

                                              85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                              Filesize

                                              13KB

                                              MD5

                                              91b75bcf59b2de235214ed47be8a99a5

                                              SHA1

                                              03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                              SHA256

                                              b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                              SHA512

                                              85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                              Filesize

                                              68KB

                                              MD5

                                              be566e174eaf5b93b0474593cd8f2715

                                              SHA1

                                              350ca8482be913dd9ca7a279fb5680a884402e26

                                              SHA256

                                              cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                              SHA512

                                              fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                              Filesize

                                              68KB

                                              MD5

                                              be566e174eaf5b93b0474593cd8f2715

                                              SHA1

                                              350ca8482be913dd9ca7a279fb5680a884402e26

                                              SHA256

                                              cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                              SHA512

                                              fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                              Filesize

                                              16KB

                                              MD5

                                              3f0c03e5076c7e6b404f894ff4dc5bb1

                                              SHA1

                                              9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                              SHA256

                                              4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                              SHA512

                                              20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                              Filesize

                                              16KB

                                              MD5

                                              3f0c03e5076c7e6b404f894ff4dc5bb1

                                              SHA1

                                              9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                              SHA256

                                              4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                              SHA512

                                              20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.inf

                                              Filesize

                                              151B

                                              MD5

                                              a94d989905a248afca52bc3cbfcb248b

                                              SHA1

                                              cbb7b37584a58060da6a3dd748f17334384647e7

                                              SHA256

                                              6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

                                              SHA512

                                              864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

                                            • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.sys

                                              Filesize

                                              34KB

                                              MD5

                                              a0d15d8727d0780c51628df46b7268b3

                                              SHA1

                                              c85f24ef961db67c829a676a941cbead24c62b21

                                              SHA256

                                              5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

                                              SHA512

                                              a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

                                            • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                              Filesize

                                              197KB

                                              MD5

                                              b539aa381715ed2bdec01e33867b1a67

                                              SHA1

                                              7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                              SHA256

                                              2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                              SHA512

                                              fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6

                                            • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                              Filesize

                                              197KB

                                              MD5

                                              b539aa381715ed2bdec01e33867b1a67

                                              SHA1

                                              7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                              SHA256

                                              2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                              SHA512

                                              fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6