Overview

overview

7

Static

static

3

Act_Office14_KMS.exe

windows7-x64

7

Act_Office14_KMS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Act_Office14_KMS.exe

  • Size

    808KB

  • MD5

    617a304d0c78c2fb26fd55ab56ce2ec4

  • SHA1

    bf3fdc2c71275f6117037aa2ee89f1fe509b7fb9

  • SHA256

    895d20ed35cf6ebb4e98524f9d859da24a731a5afb0d119f8e2f63012ac34b38

  • SHA512

    0f3d659e83a44ab936a5e2fed601eb60f8c4ae3ce2a9890b3d46dd397fe47cb99f81005cc246e32fc4cd8810a6f3994ecbc7b07ea237bba38a36f89e967cd359

  • SSDEEP

    6144:2ifwIx8tVTFUs82tpE4BtQ3cOR7rBY/1pT5fZ9wDmpiU0EVa5Sjpgspai6TaifwN:JSLfE6qF+T5D2ybwIpX6TdSLf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Act_Office14_KMS.exe
    "C:\Users\Admin\AppData\Local\Temp\Act_Office14_KMS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\system32\cscript.exe
        cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
        3⤵
          PID:2260
      • C:\Windows\system32\ping.exe
        ping -n 2 localhost
        2⤵
        • Runs ping.exe
        PID:2080
      • C:\Windows\system32\cmd.exe
        cmd.exe /c taskkill /f /im instsrv.exe & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im instsrv.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
        • C:\Windows\system32\PING.EXE
          ping -n 1 localhost
          3⤵
          • Runs ping.exe
          PID:2996
      • C:\Windows\system32\cmd.exe
        cmd.exe /c taskkill /f /im KMService.exe & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im KMService.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
        • C:\Windows\system32\PING.EXE
          ping -n 1 localhost
          3⤵
          • Runs ping.exe
          PID:2000
      • C:\Windows\system32\cmd.exe
        cmd.exe /c net stop KMService & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\system32\net.exe
          net stop KMService
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop KMService
            4⤵
              PID:2968
          • C:\Windows\system32\PING.EXE
            ping -n 1 localhost
            3⤵
            • Runs ping.exe
            PID:632
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\instsrv.exe" KMService remove %WINDIR%\srvany.exe & ping -n 1 localhost
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Users\Admin\AppData\Local\Temp\instsrv.exe
            C:\Users\Admin\AppData\Local\Temp\instsrv.exe KMService remove C:\Windows\srvany.exe
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2092
          • C:\Windows\system32\PING.EXE
            ping -n 1 localhost
            3⤵
            • Runs ping.exe
            PID:1108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\instsrv.exe
        Filesize

        31KB

        MD5

        9f7acaad365af0d1a3cd9261e3208b9b

        SHA1

        b4c7049562e770093e707ac1329cb37ad6313a37

        SHA256

        f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

        SHA512

        6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

        Download Submit

      • memory/2504-0-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2504-1-0x00000000009E0000-0x0000000000A60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2504-2-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2504-3-0x00000000009E0000-0x0000000000A60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2504-4-0x00000000009E0000-0x0000000000A60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2504-5-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2504-6-0x00000000009E0000-0x0000000000A60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2504-7-0x00000000009E0000-0x0000000000A60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2504-11-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

        Filesize

        9.6MB

        Download