fa51dec6e30770fa9070ad824638a1fff5979d9fb8263776cea35ba88a8a6268[.]zip[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

fa51dec6e30770fa9070ad824638a1fff5979d9fb8263776cea35ba88a8a6268.zip.zip
Size

4.1MB
MD5

6206e2b7227cc12d682cb5bf62fc3136
SHA1

ecc075f708719afa856219a2dd6022bbdbcc2671
SHA256

fd88ca3df8d66708e121b661fc3028fd0dfc275e88c64b8ed34b0b9b9c04b6d2
SHA512

a03aed06ce5cdbf108b247433fec34d037162bdd4c6962670aec82ea6cd0da5d67ef150ddba2c32fa51806453698e34f0d5c8905b5c8cbce3caf3bab187c58eb
SSDEEP

98304:VzA5Uz0hMQBbHpAJZQVF4w1rqBvKnvEv2cTOGlKG6uHatH0Z7ZR38bE:Vc500a8m4NvJ+uGt6tH0Z7go

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/Activator/KMSAuto/Wait.exe	upx
static1/unpack004/mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe	upx
static1/unpack004/mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
static1/unpack003/out.upx	autoit_exe

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack002/Activator/KMSAuto/Wait.exe
unpack003/out.upx
unpack004/mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe
unpack004/mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe

Files

fa51dec6e30770fa9070ad824638a1fff5979d9fb8263776cea35ba88a8a6268.zip.zip
.zip

Password: infected
fa51dec6e30770fa9070ad824638a1fff5979d9fb8263776cea35ba88a8a6268.zip
.zip
Activator/!ReadMe.txt
Activator/ActivationNextBoot.cmd
.cmd .vbs
Activator/ActivationNextBoot.xml
Activator/Activator.cmd
.cmd .vbs
Activator/ActivatorOffice.cmd
.cmd .vbs
Activator/ActivatorWindows.cmd
.cmd .vbs
Activator/KMSAuto/KMSAUTO.EXE
.exe windows:4 windows x86

83e8ec2ecf3f2d6c4e283f2ebbdd1277

Code Sign

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8f
Certificate

Issuer

CN=WZT

Not Before

08-11-2015 08:15

Not After

31-12-2039 23:59

Subject

CN=WZT

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

ad:a7:a8:0c:81:c2:61:40:68:f7:83:4c:3a:eb:f4:73:25:4d:5b:09
Signer

Actual PE Digest

ad:a7:a8:0c:81:c2:61:40:68:f7:83:4c:3a:eb:f4:73:25:4d:5b:09

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
wcsstr
_wcsicmp
setlocale
swscanf
_wcsnicmp
wcsncmp
wcsncpy
memmove
_wcsdup
free
wcscmp
wcslen
wcscpy
wcscat
memcmp
_stricmp
sscanf
sprintf
strcpy
strlen
strcat
memcpy
fread
longjmp
_setjmp3
_wfopen
fclose
malloc
_snwprintf
strcmp
tolower
gmtime
localtime
mktime
_itow
fabs
ceil
floor
fseek
ftell
pow
??3@YAXPAX@Z
frexp
modf
_CIpow
fopen
_errno
strerror
abort
atof
fflush
ferror
remove
fwrite
exit
__p__iob
fprintf
getenv
_vsnwprintf
cos
fmod
sin
abs

kernel32

GetModuleHandleW
HeapCreate
GetEnvironmentVariableW
CreateSemaphoreW
GetLastError
CloseHandle
HeapDestroy
ExitProcess
SystemTimeToFileTime
LocalFileTimeToFileTime
FindResourceW
LoadResource
LockResource
SizeofResource
CreateToolhelp32Snapshot
GetLogicalDriveStringsW
QueryDosDeviceW
FileTimeToLocalFileTime
FileTimeToSystemTime
ExpandEnvironmentStringsW
GetCurrentProcess
GetUserDefaultLangID
GetSystemDefaultLangID
MultiByteToWideChar
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetCurrentProcessId
OpenProcess
FormatMessageW
GetVolumeInformationW
FindFirstFileW
FindNextFileW
FindClose
WideCharToMultiByte
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
CreateProcessW
Beep
CreateFileW
DeviceIoControl
GetCommandLineW
GetComputerNameW
GetDateFormatW
GetDiskFreeSpaceExW
GetExitCodeProcess
GetFileTime
GetPrivateProfileStringW
GetShortPathNameW
GetSystemDirectoryW
GetSystemPowerStatus
GetTimeZoneInformation
GetUserDefaultLCID
GetWindowsDirectoryW
GlobalMemoryStatus
LocalFree
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
SetComputerNameW
SetFileTime
SetSystemTime
SetVolumeLabelW
Sleep
TerminateProcess
WritePrivateProfileStringW
HeapAlloc
HeapFree
GetCurrentThreadId
InitializeCriticalSection
GetModuleFileNameW
DuplicateHandle
CreatePipe
GetStdHandle
EnterCriticalSection
LeaveCriticalSection
PeekNamedPipe
SetEnvironmentVariableW
ReadFile
HeapReAlloc
GetFileSize
SetFilePointer
SetEndOfFile
WriteFile
FreeLibrary
LoadLibraryA
TlsAlloc
TlsSetValue
GetTickCount
TlsGetValue
LoadLibraryW
DeleteFileW
GetVersionExW
GlobalLock
GlobalSize
GlobalUnlock
GlobalAlloc
GlobalFree
GetVersionExA
SetLastError
GetDriveTypeW
GetFileAttributesW
SetFileAttributesW
RemoveDirectoryW
SetCurrentDirectoryW
GetCurrentDirectoryW
CreateDirectoryW
CopyFileW
GetTempPathW
MoveFileW
GetLocalTime
HeapSize
MulDiv
DeleteCriticalSection
TlsFree
GetCurrentThread
CreateSemaphoreA
CreateThread
ReleaseSemaphore
WaitForMultipleObjects

gdiplus

GdipDeleteFont
GdipDeleteGraphics
GdipDeletePath
GdipDeleteMatrix
GdipDeletePen
GdipDeleteStringFormat
GdipFree
GdipGetDpiX
GdipGetDpiY

winspool.drv

ClosePrinter
DeletePrinter
OpenPrinterW
SetPrinterW

user32

OemToCharW
UpdateWindow
SendMessageW
RedrawWindow
ReleaseDC
EnumWindows
GetWindowThreadProcessId
FindWindowExW
FindWindowW
GetCursorPos
GetForegroundWindow
GetWindow
GetWindowLongW
GetWindowTextW
SetCursorPos
AnimateWindow
AttachThreadInput
BlockInput
ChangeDisplaySettingsW
CharToOemW
CreateWindowExW
DrawMenuBar
EnableMenuItem
EnableWindow
EnumDisplaySettingsW
ExitWindowsEx
FlashWindow
GetClassNameW
GetDC
GetDesktopWindow
GetFocus
GetKeyState
GetLastInputInfo
GetSysColor
GetSystemMenu
GetSystemMetrics
GetWindowRect
IsWindow
IsWindowEnabled
KillTimer
LoadCursorW
LockWorkStation
MessageBeep
PostMessageW
RegisterHotKey
RemoveMenu
SetClassLongW
SetFocus
SetForegroundWindow
SetTimer
SetWindowLongW
SetWindowPos
ShowWindow
UnregisterHotKey
WaitForInputIdle
keybd_event
mouse_event
CharUpperW
CharLowerW
MessageBoxW
IsWindowVisible
DestroyWindow
SetWindowTextW
GetParent
CallWindowProcW
GetWindowTextLengthW
GetClientRect
ScreenToClient
IntersectRect
ValidateRect
InvalidateRect
GetUpdateRect
DefWindowProcW
MapWindowPoints
GetIconInfo
DrawStateW
GetSysColorBrush
FrameRect
DrawFocusRect
RemovePropW
GetPropW
SetPropW
SetScrollPos
InflateRect
GetWindowDC
SetRect
DrawTextW
SetCursor
BeginPaint
FillRect
EndPaint
GetMessagePos
MoveWindow
ReleaseCapture
SetCapture
ClientToScreen
RegisterClassExW
PeekMessageW
TranslateMessage
DispatchMessageW
SetActiveWindow
UnregisterClassW
DestroyAcceleratorTable
LoadIconW
RegisterClassW
AdjustWindowRectEx
CreateAcceleratorTableW
GetWindowLongA
MsgWaitForMultipleObjects
GetMessageW
GetActiveWindow
TranslateAcceleratorW
GetMenu
DefFrameProcW
EnumChildWindows
IsChild
RegisterWindowMessageW
DestroyIcon
CopyImage
CreateIconFromResourceEx
CreateIconFromResource
DrawIconEx

gdi32

CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
GetPixel
GetStockObject
SetBkMode
DeleteObject
CreateBrushIndirect
GetTextExtentPoint32W
CreateRectRgn
SelectClipRgn
GetObjectW
GetObjectType
ExcludeClipRect
SetTextColor
SetBkColor
CreateRectRgnIndirect
TextOutW
CreatePen
MoveToEx
LineTo
SetStretchBltMode
StretchBlt
CreateSolidBrush
GdiGetBatchLimit
GdiSetBatchLimit
CreateDIBSection
GetObjectA
CreateBitmap
SetPixel
GetDIBits
GetDeviceCaps
CreateFontW
SetTextAlign
SetBrushOrgEx
CreateFontIndirectW
GetTextMetricsW

advapi32

RegOpenKeyExW
RegOpenKeyW
RegConnectRegistryW
RegQueryValueExW
RegCloseKey
OpenSCManagerW
OpenServiceW
QueryServiceStatus
CloseServiceHandle
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
LookupAccountNameW
IsValidSid
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyW
AdjustTokenPrivileges
ChangeServiceConfigW
ControlService
CryptAcquireContextW
CryptCreateHash
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptHashData
CryptReleaseContext
GetUserNameW
ImpersonateLoggedOnUser
LogonUserW
LookupPrivilegeValueW
OpenProcessToken
RegEnumValueW
RevertToSelf
StartServiceW

comctl32

InitCommonControlsEx
ImageList_Replace
ImageList_Add
ImageList_ReplaceIcon
ImageList_Remove
ImageList_AddMasked
ImageList_Destroy
ImageList_Create

oleaut32

SafeArrayGetDim
SafeArrayGetUBound
SafeArrayGetElement
SysFreeString
VariantInit
DispGetParam
SysAllocString
VariantClear
SysStringLen

ole32

CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoCreateInstance
CoSetProxyBlanket
CoCreateGuid
CoInitialize
StringFromGUID2
OleInitialize
CreateStreamOnHGlobal
GetHGlobalFromStream
RevokeDragDrop
OleCreate
OleSetContainedObject

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
ExtractIconExW
ExtractIconW
IsNetDrive
RealDriveType
SHAddToRecentDocs
SHFileOperationW
SHFormatDrive
SHGetFileInfoW
ShellAboutW
Shell_NotifyIconW
ShellExecuteExW

wsock32

WSAStartup
gethostbyname
WSACleanup
gethostbyaddr
inet_addr
closesocket
gethostname
htons
select
__WSAFDIsSet
ioctlsocket
recvfrom
socket
bind
connect
recv
send
sendto

winmm

timeBeginPeriod

icmp

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho

imagehlp

MakeSureDirectoryPathExists

iphlpapi

GetAdaptersInfo
GetNetworkParams

msi

MsiEnumProductsW
MsiGetProductInfoW

netapi32

NetApiBufferFree
NetLocalGroupAdd
NetLocalGroupDel
NetLocalGroupEnum
NetUserDel
NetUserGetInfo
NetUserSetInfo

setupapi

SetupIterateCabinetW

urlmon

URLDownloadToFileW
UrlMkSetSessionOption

userenv

GetDefaultUserProfileDirectoryW

wininet

DeleteUrlCacheEntryW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlW
InternetOpenW
InternetReadFile
UnlockUrlCacheEntryFileW

Sections

.code
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 352KB - Virtual size: 351KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5.7MB - Virtual size: 5.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Activator/KMSAuto/KMSAuto - Windows & Office Activator.lnk
.lnk
Activator/KMSAuto/KMSAutoAll.xml
Activator/KMSAuto/KMSAutoLite.ini
Activator/KMSAuto/KMSAutoOffice.xml
Activator/KMSAuto/KMSAutoWindows.xml
Activator/KMSAuto/KMSCleaner.exe
.exe windows:4 windows x86

65ef43de0bb5fdb404965b6ed08a8eae

Code Sign

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8f
Certificate

Issuer

CN=WZT

Not Before

08-11-2015 08:15

Not After

31-12-2039 23:59

Subject

CN=WZT

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

d3:46:1b:c5:fa:73:0d:15:e1:da:8c:64:b5:fd:06:7c:ef:4d:bc:3f
Signer

Actual PE Digest

d3:46:1b:c5:fa:73:0d:15:e1:da:8c:64:b5:fd:06:7c:ef:4d:bc:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
wcsstr
wcsncmp
memmove
wcsncpy
_wcsnicmp
_wcsdup
free
wcslen
wcscpy
wcscat
wcscmp
strlen
strcpy
strcat
memcmp
_stricmp
memcpy
_wfopen
longjmp
_setjmp3
fclose
malloc
_snwprintf
sprintf
strcmp
tolower
_wcsicmp
gmtime
localtime
mktime
_itow
fabs
ceil
floor
pow
frexp
modf
_CIpow
fwrite
fflush
exit
__p__iob
fprintf
ferror
getenv
sscanf
_vsnwprintf
fmod
sin
cos
abs

kernel32

GetModuleHandleW
HeapCreate
GetEnvironmentVariableW
HeapDestroy
ExitProcess
SystemTimeToFileTime
LocalFileTimeToFileTime
FindResourceW
LoadResource
LockResource
SizeofResource
CreateToolhelp32Snapshot
CloseHandle
GetLogicalDriveStringsW
QueryDosDeviceW
FileTimeToLocalFileTime
FileTimeToSystemTime
ExpandEnvironmentStringsW
GetCurrentProcess
GetUserDefaultLangID
GetSystemDefaultLangID
MultiByteToWideChar
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetCurrentProcessId
OpenProcess
GetLastError
FormatMessageW
GetVolumeInformationW
FindFirstFileW
FindNextFileW
FindClose
WideCharToMultiByte
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
CreateProcessW
Beep
CreateFileW
CreateSemaphoreW
DeviceIoControl
GetCommandLineW
GetComputerNameW
GetDateFormatW
GetDiskFreeSpaceExW
GetExitCodeProcess
GetFileTime
GetPrivateProfileStringW
GetShortPathNameW
GetSystemDirectoryW
GetSystemPowerStatus
GetTimeZoneInformation
GetUserDefaultLCID
GetWindowsDirectoryW
GlobalMemoryStatus
LocalFree
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
SetComputerNameW
SetFileTime
SetSystemTime
SetVolumeLabelW
Sleep
TerminateProcess
WritePrivateProfileStringW
HeapAlloc
HeapFree
GetCurrentThreadId
InitializeCriticalSection
DuplicateHandle
CreatePipe
GetStdHandle
EnterCriticalSection
LeaveCriticalSection
PeekNamedPipe
SetEnvironmentVariableW
GetModuleFileNameW
HeapReAlloc
ReadFile
SetFilePointer
SetEndOfFile
WriteFile
GetFileSize
FreeLibrary
LoadLibraryA
GetTickCount
LoadLibraryW
DeleteFileW
GetVersionExA
SetLastError
MulDiv
GetDriveTypeW
GetFileAttributesW
SetFileAttributesW
GetCurrentDirectoryW
SetCurrentDirectoryW
CreateDirectoryW
RemoveDirectoryW
CopyFileW
GetTempPathW
MoveFileW
GetLocalTime
TlsAlloc
TlsSetValue
GetVersionExW
HeapSize
DeleteCriticalSection
lstrlenA

winspool.drv

ClosePrinter
DeletePrinter
OpenPrinterW
SetPrinterW

user32

OemToCharW
SendMessageW
ReleaseDC
EnumWindows
GetWindowThreadProcessId
FindWindowExW
FindWindowW
GetCursorPos
GetForegroundWindow
SetCursorPos
AnimateWindow
AttachThreadInput
BlockInput
ChangeDisplaySettingsW
CharToOemW
CreateWindowExW
DrawMenuBar
EnableMenuItem
EnableWindow
EnumDisplaySettingsW
ExitWindowsEx
FlashWindow
GetClassNameW
GetDC
GetDesktopWindow
GetFocus
GetKeyState
GetLastInputInfo
GetSysColor
GetSystemMenu
GetSystemMetrics
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
IsWindow
IsWindowEnabled
KillTimer
LoadCursorW
LockWorkStation
MessageBeep
PostMessageW
RegisterHotKey
RemoveMenu
SetClassLongW
SetFocus
SetForegroundWindow
SetTimer
SetWindowLongW
SetWindowPos
ShowWindow
UnregisterHotKey
UpdateWindow
WaitForInputIdle
keybd_event
mouse_event
CharUpperW
CharLowerW
MessageBoxW
IsWindowVisible
DestroyWindow
GetWindowTextLengthW
SetWindowTextW
SetScrollPos
GetPropW
SetPropW
GetParent
InflateRect
GetWindowDC
CallWindowProcW
RemovePropW
RedrawWindow
ScreenToClient
GetIconInfo
InvalidateRect
ReleaseCapture
BeginPaint
DrawStateW
EndPaint
SetCapture
GetSysColorBrush
DefWindowProcW
SetActiveWindow
UnregisterClassW
DestroyAcceleratorTable
LoadIconW
RegisterClassW
AdjustWindowRectEx
CreateAcceleratorTableW
PeekMessageW
MsgWaitForMultipleObjects
GetMessageW
GetActiveWindow
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
GetClientRect
FillRect
EnumChildWindows
DefFrameProcW
IsChild
RegisterWindowMessageW
DestroyIcon
CopyImage
DrawIconEx

gdi32

CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
GetPixel
GetStockObject
GetTextExtentPoint32W
ExcludeClipRect
GetObjectType
GetObjectW
DeleteObject
SetBkColor
SetTextColor
CreateSolidBrush
GetDeviceCaps
CreateFontW
GdiSetBatchLimit
GdiGetBatchLimit
CreateDIBSection
GetDIBits
CreateBitmap
SetPixel
SetBkMode
SetTextAlign
TextOutW
SetStretchBltMode
SetBrushOrgEx
StretchBlt
CreateFontIndirectW
GetTextMetricsW

advapi32

RegOpenKeyExW
RegOpenKeyW
RegConnectRegistryW
RegQueryValueExW
RegCloseKey
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
LookupAccountNameW
IsValidSid
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyW
AdjustTokenPrivileges
ChangeServiceConfigW
CloseServiceHandle
ControlService
CryptAcquireContextW
CryptCreateHash
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptHashData
CryptReleaseContext
GetUserNameW
ImpersonateLoggedOnUser
LogonUserW
LookupPrivilegeValueW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatus
RegEnumValueW
RevertToSelf
StartServiceW

comctl32

InitCommonControlsEx

oleaut32

SafeArrayGetDim
SafeArrayGetUBound
SafeArrayGetElement

ole32

CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoCreateInstance
CoSetProxyBlanket
CoCreateGuid
CoInitialize
StringFromGUID2
RevokeDragDrop

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
ExtractIconExW
ExtractIconW
IsNetDrive
RealDriveType
SHAddToRecentDocs
SHFileOperationW
SHFormatDrive
SHGetFileInfoW
ShellAboutW
Shell_NotifyIconW
ShellExecuteExW

wsock32

WSAStartup
gethostbyname
WSACleanup
gethostbyaddr
inet_addr
closesocket
gethostname
htons
select
__WSAFDIsSet
ioctlsocket
recvfrom
connect
socket
bind
recv

winmm

timeBeginPeriod

icmp

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho

imagehlp

MakeSureDirectoryPathExists

iphlpapi

GetAdaptersInfo
GetNetworkParams

msi

MsiEnumProductsW
MsiGetProductInfoW

netapi32

NetApiBufferFree
NetLocalGroupAdd
NetLocalGroupDel
NetLocalGroupEnum
NetUserDel
NetUserGetInfo
NetUserSetInfo

setupapi

SetupIterateCabinetW

urlmon

URLDownloadToFileW
UrlMkSetSessionOption

userenv

GetDefaultUserProfileDirectoryW

wininet

DeleteUrlCacheEntryW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlW
InternetOpenW
InternetReadFile
UnlockUrlCacheEntryFileW

Sections

.code
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 227KB - Virtual size: 227KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 225KB - Virtual size: 227KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Activator/KMSAuto/Wait.au3
Activator/KMSAuto/Wait.exe
.exe windows:5 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 472KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 264KB - Virtual size: 268KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 514KB - Virtual size: 513KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Activator/KMSAuto/readme_en.txt
Activator/KMSAuto/readme_ru.txt
Activator/crack(KMS).rar
.rar
mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe
.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 1010KB - Virtual size: 1012KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe
.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 1010KB - Virtual size: 1012KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

83e8ec2ecf3f2d6c4e283f2ebbdd1277

Code Sign

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8fCertificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

ad:a7:a8:0c:81:c2:61:40:68:f7:83:4c:3a:eb:f4:73:25:4d:5b:09Signer

Headers

File Characteristics

Imports

msvcrt

kernel32

gdiplus

winspool.drv

user32

gdi32

advapi32

comctl32

oleaut32

ole32

shell32

wsock32

winmm

icmp

imagehlp

iphlpapi

msi

netapi32

setupapi

urlmon

userenv

wininet

Sections

.code Size: 112KB - Virtual size: 111KB

.text Size: 352KB - Virtual size: 351KB

.rdata Size: 37KB - Virtual size: 36KB

.data Size: 5.7MB - Virtual size: 5.7MB

.rsrc Size: 44KB - Virtual size: 44KB

65ef43de0bb5fdb404965b6ed08a8eae

Code Sign

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8fCertificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

d3:46:1b:c5:fa:73:0d:15:e1:da:8c:64:b5:fd:06:7c:ef:4d:bc:3fSigner

Headers

File Characteristics

Imports

msvcrt

kernel32

winspool.drv

user32

gdi32

advapi32

comctl32

oleaut32

ole32

shell32

wsock32

winmm

icmp

imagehlp

iphlpapi

msi

netapi32

setupapi

urlmon

userenv

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8f
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

ad:a7:a8:0c:81:c2:61:40:68:f7:83:4c:3a:eb:f4:73:25:4d:5b:09
Signer

.code
Size: 112KB - Virtual size: 111KB

.text
Size: 352KB - Virtual size: 351KB

.rdata
Size: 37KB - Virtual size: 36KB

.data
Size: 5.7MB - Virtual size: 5.7MB

.rsrc
Size: 44KB - Virtual size: 44KB

08:a8:e8:26:95:0f:1a:99:40:26:25:89:fc:af:0b:8f
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

d3:46:1b:c5:fa:73:0d:15:e1:da:8c:64:b5:fd:06:7c:ef:4d:bc:3f
Signer

.code
Size: 32KB - Virtual size: 31KB

.text
Size: 227KB - Virtual size: 227KB

.rdata
Size: 30KB - Virtual size: 29KB

.data
Size: 225KB - Virtual size: 227KB

.rsrc
Size: 62KB - Virtual size: 61KB

UPX0
Size: - Virtual size: 472KB

UPX1
Size: 264KB - Virtual size: 268KB

.rsrc
Size: 29KB - Virtual size: 32KB

.text
Size: 514KB - Virtual size: 513KB

.rdata
Size: 56KB - Virtual size: 55KB

.data
Size: 26KB - Virtual size: 105KB

.rsrc
Size: 37KB - Virtual size: 36KB

UPX0
Size: - Virtual size: 1.4MB

UPX1
Size: 1010KB - Virtual size: 1012KB

.rsrc
Size: 29KB - Virtual size: 32KB

UPX0
Size: - Virtual size: 1.4MB

UPX1
Size: 1010KB - Virtual size: 1012KB

.rsrc
Size: 29KB - Virtual size: 32KB