Overview

overview

7

Static

static

3

Act_Office14_KMS.exe

windows7-x64

7

Act_Office14_KMS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Act_Office14_KMS.exe

  • Size

    808KB

  • MD5

    617a304d0c78c2fb26fd55ab56ce2ec4

  • SHA1

    bf3fdc2c71275f6117037aa2ee89f1fe509b7fb9

  • SHA256

    895d20ed35cf6ebb4e98524f9d859da24a731a5afb0d119f8e2f63012ac34b38

  • SHA512

    0f3d659e83a44ab936a5e2fed601eb60f8c4ae3ce2a9890b3d46dd397fe47cb99f81005cc246e32fc4cd8810a6f3994ecbc7b07ea237bba38a36f89e967cd359

  • SSDEEP

    6144:2ifwIx8tVTFUs82tpE4BtQ3cOR7rBY/1pT5fZ9wDmpiU0EVa5Sjpgspai6TaifwN:JSLfE6qF+T5D2ybwIpX6TdSLf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Act_Office14_KMS.exe
    "C:\Users\Admin\AppData\Local\Temp\Act_Office14_KMS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\system32\cscript.exe
        cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
        3⤵
          PID:2148
      • C:\Windows\system32\ping.exe
        ping -n 2 localhost
        2⤵
        • Runs ping.exe
        PID:2756
      • C:\Windows\system32\cmd.exe
        cmd.exe /c taskkill /f /im instsrv.exe & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\system32\PING.EXE
          ping -n 1 localhost
          3⤵
          • Runs ping.exe
          PID:2744
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im instsrv.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\instsrv.exe" KMService remove %WINDIR%\srvany.exe & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:580
      • C:\Windows\system32\cmd.exe
        cmd.exe /c net stop KMService & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:392
      • C:\Windows\system32\cmd.exe
        cmd.exe /c taskkill /f /im KMService.exe & ping -n 1 localhost
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:804
    • C:\Windows\system32\net.exe
      net stop KMService
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop KMService
        2⤵
          PID:1092
      • C:\Windows\system32\PING.EXE
        ping -n 1 localhost
        1⤵
        • Runs ping.exe
        PID:1404
      • C:\Users\Admin\AppData\Local\Temp\instsrv.exe
        C:\Users\Admin\AppData\Local\Temp\instsrv.exe KMService remove C:\Windows\srvany.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:708
      • C:\Windows\system32\PING.EXE
        ping -n 1 localhost
        1⤵
        • Runs ping.exe
        PID:1044
      • C:\Windows\system32\PING.EXE
        ping -n 1 localhost
        1⤵
        • Runs ping.exe
        PID:1156
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im KMService.exe
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2092

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\instsrv.exe
        Filesize

        31KB

        MD5

        9f7acaad365af0d1a3cd9261e3208b9b

        SHA1

        b4c7049562e770093e707ac1329cb37ad6313a37

        SHA256

        f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

        SHA512

        6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

        Download Submit

      • memory/2860-0-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2860-1-0x0000000000B50000-0x0000000000BD0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2860-2-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2860-3-0x0000000000B50000-0x0000000000BD0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2860-4-0x0000000000B50000-0x0000000000BD0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2860-5-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2860-9-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

        Filesize

        9.6MB

        Download