fd88ca3df8d66708e121b661fc3028fd0dfc275e88c64b8ed34b0b9b9c04b6d2

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activator/KMSAuto/KMSAUTO.exe
Size

6.2MB
MD5

aa2aa549dc7c6c91ab61a06fa5a6c4e8
SHA1

03cb8a9599d4e1e9ad4ccc23b644bbbfc41178eb
SHA256

b4523b3fb41f739a59b55a955801037afccd193b8cc78e02f3ed1cefc6cb1680
SHA512

53c7c5c9015bff6a9e5e2690bb3b6d7cfa13f1ad9b197aac2a75a3685d57f466cfc1b73a6dbc7a01f2ce688a4ae54776e02c5ab2fe164f83aac9a7b95d549e31
SSDEEP

196608:TAywxyw7iywnNywwywHywWywbywmIiyw7Lzz:TdwMw7fwwwtwSwLwewhw7Lzz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
752	bin.dat
2280	wzt.dat
2852	certmgr.exe
1720	certmgr.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

pid	Process
752	bin.dat
2280	wzt.dat
2852	certmgr.exe
1720	certmgr.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1912	1908	KMSAUTO.exe	28
PID 1908 wrote to memory of 1912	1908	KMSAUTO.exe	28
PID 1908 wrote to memory of 1912	1908	KMSAUTO.exe	28
PID 1908 wrote to memory of 1912	1908	KMSAUTO.exe	28
PID 1908 wrote to memory of 1992	1908	KMSAUTO.exe	30
PID 1908 wrote to memory of 1992	1908	KMSAUTO.exe	30
PID 1908 wrote to memory of 1992	1908	KMSAUTO.exe	30
PID 1908 wrote to memory of 1992	1908	KMSAUTO.exe	30
PID 1992 wrote to memory of 752	1992	cmd.exe	32
PID 1992 wrote to memory of 752	1992	cmd.exe	32
PID 1992 wrote to memory of 752	1992	cmd.exe	32
PID 1992 wrote to memory of 752	1992	cmd.exe	32
PID 1908 wrote to memory of 2320	1908	KMSAUTO.exe	33
PID 1908 wrote to memory of 2320	1908	KMSAUTO.exe	33
PID 1908 wrote to memory of 2320	1908	KMSAUTO.exe	33
PID 1908 wrote to memory of 2320	1908	KMSAUTO.exe	33
PID 2320 wrote to memory of 2280	2320	cmd.exe	35
PID 2320 wrote to memory of 2280	2320	cmd.exe	35
PID 2320 wrote to memory of 2280	2320	cmd.exe	35
PID 2320 wrote to memory of 2280	2320	cmd.exe	35
PID 1908 wrote to memory of 2820	1908	KMSAUTO.exe	36
PID 1908 wrote to memory of 2820	1908	KMSAUTO.exe	36
PID 1908 wrote to memory of 2820	1908	KMSAUTO.exe	36
PID 1908 wrote to memory of 2820	1908	KMSAUTO.exe	36
PID 2820 wrote to memory of 2852	2820	cmd.exe	38
PID 2820 wrote to memory of 2852	2820	cmd.exe	38
PID 2820 wrote to memory of 2852	2820	cmd.exe	38
PID 2820 wrote to memory of 2852	2820	cmd.exe	38
PID 1908 wrote to memory of 1976	1908	KMSAUTO.exe	39
PID 1908 wrote to memory of 1976	1908	KMSAUTO.exe	39
PID 1908 wrote to memory of 1976	1908	KMSAUTO.exe	39
PID 1908 wrote to memory of 1976	1908	KMSAUTO.exe	39
PID 1976 wrote to memory of 1720	1976	cmd.exe	41
PID 1976 wrote to memory of 1720	1976	cmd.exe	41
PID 1976 wrote to memory of 1720	1976	cmd.exe	41
PID 1976 wrote to memory of 1720	1976	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.exe
"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\Temp\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:752
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c wzt.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Temp\KMSAuto\wzt.dat
    wzt.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2280
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Temp\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2852
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Temp\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\KMSAuto\bin.dat

Filesize
166KB

MD5
ca62d4125a24ea98f90b8d7b7c92801b

SHA1
72f50ecc667713b8f357a048a6f621664fd1e361

SHA256
9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

SHA512
ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

Download Submit
C:\Windows\Temp\KMSAuto\bin.dat

Filesize
166KB

MD5
ca62d4125a24ea98f90b8d7b7c92801b

SHA1
72f50ecc667713b8f357a048a6f621664fd1e361

SHA256
9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

SHA512
ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

Download Submit
C:\Windows\Temp\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\Windows\Temp\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\Windows\Temp\KMSAuto\wzt\wzt.cer

Filesize
488B

MD5
4bf5bfbb3caf16c6125df0e10ee60d18

SHA1
f81f111d0e5ab58d396f7bf525577fd30fdc95aa

SHA256
b3db601b90499d6d5d7cd954ca36a907abb6ae649b5439ab2bca93e2e026fe9f

SHA512
0e0cabb6135d50134c53c0f13a4dc242bf686163498318e88fc1f419b3858ac58abcb26f0fa1c476b2005551ae882d50f86acf71b5b0be914ae68dcb935ff765

Download Submit