b14e62ac4c5a1874e019d507112c0e48bc724c11ffb95950150af274b035618a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 10:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

130_office/ Activator office 2010/KMS_WMI_Activator.exe
Size

200KB
MD5

55c48aea2d09a415452867b5abf56357
SHA1

d6991924f6ac93fecf7198934bfcc15fed60f380
SHA256

1d06f86e425b86064afecb6979ad8dba9dbb043f9af627ead0424ed0c83cb212
SHA512

074dd627e9de7b6c0b6757a4ec81b9ada59a1a11b4250dccfd1ff9a32955b3c6e195ef2861a3756eb7b6670c7f8ed9e2041c202f025bca53e08f0fafe8b4b78f
SSDEEP

6144:OFgtJZ0rFIMrzhsLpdExrmRdXfYgKnTcI95sglOk5oSaU:SgWJtrzoo6DmQG+SoSaU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3048	cmdFocus.exe
2592	cmdFocus.exe
2700	Wselect.exe

Loads dropped DLL 6 IoCs

pid	Process
2800	cmd.exe
2800	cmd.exe
2800	cmd.exe
2800	cmd.exe
2800	cmd.exe
2800	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2408-57-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2408-96-0x0000000000400000-0x000000000049A000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2800	2408	KMS_WMI_Activator.exe	29
PID 2408 wrote to memory of 2800	2408	KMS_WMI_Activator.exe	29
PID 2408 wrote to memory of 2800	2408	KMS_WMI_Activator.exe	29
PID 2408 wrote to memory of 2800	2408	KMS_WMI_Activator.exe	29
PID 2800 wrote to memory of 2808	2800	cmd.exe	30
PID 2800 wrote to memory of 2808	2800	cmd.exe	30
PID 2800 wrote to memory of 2808	2800	cmd.exe	30
PID 2800 wrote to memory of 2808	2800	cmd.exe	30
PID 2800 wrote to memory of 2848	2800	cmd.exe	31
PID 2800 wrote to memory of 2848	2800	cmd.exe	31
PID 2800 wrote to memory of 2848	2800	cmd.exe	31
PID 2800 wrote to memory of 2848	2800	cmd.exe	31
PID 2800 wrote to memory of 3048	2800	cmd.exe	32
PID 2800 wrote to memory of 3048	2800	cmd.exe	32
PID 2800 wrote to memory of 3048	2800	cmd.exe	32
PID 2800 wrote to memory of 3048	2800	cmd.exe	32
PID 2800 wrote to memory of 2688	2800	cmd.exe	33
PID 2800 wrote to memory of 2688	2800	cmd.exe	33
PID 2800 wrote to memory of 2688	2800	cmd.exe	33
PID 2800 wrote to memory of 2688	2800	cmd.exe	33
PID 2800 wrote to memory of 3032	2800	cmd.exe	34
PID 2800 wrote to memory of 3032	2800	cmd.exe	34
PID 2800 wrote to memory of 3032	2800	cmd.exe	34
PID 2800 wrote to memory of 3032	2800	cmd.exe	34
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2700	2800	cmd.exe	36
PID 2800 wrote to memory of 2700	2800	cmd.exe	36
PID 2800 wrote to memory of 2700	2800	cmd.exe	36
PID 2800 wrote to memory of 2700	2800	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\130_office\ Activator office 2010\KMS_WMI_Activator.exe
"C:\Users\Admin\AppData\Local\Temp\130_office\ Activator office 2010\KMS_WMI_Activator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4192.tmp\KMS_WMI_Activator.cmd""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\mode.com
    mode con lines=250 cols=105
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\mode.com
    mode con cp select=866
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\4192.tmp\cmdFocus.exe
    cmdFocus /min
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC CONTEXT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i ms_419
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\4192.tmp\cmdFocus.exe
    cmdFocus /min
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\4192.tmp\Wselect.exe
    Wselect Menu.txt "KMS_WMI Activator for Office14/Win7/Vista/Server2K8 GVLK" /menu /fs=14 /bg=#A9A9A9
    3⤵
    - Executes dropped EXE
    PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4192.tmp\ID.xsl

Filesize
6KB

MD5
32a9b08c7fa7d6094b4b3359505ecd2d

SHA1
3024750fc594faedaa0725838c22dced6e3a300c

SHA256
074ae5f08eb3cfce07bceb277c0e39e542a8c9c2337f1a9cb714018ef2f9801f

SHA512
9246e9d4bb37566c4945a97d665108f2d19e6f11a5a9cf63619c277fe91bb4ec77f9a4b0d1ce9dfd8ce27d4ed803277615adee356652c9adcce31273ebfeb051

Download Submit
C:\Users\Admin\AppData\Local\Temp\4192.tmp\KMS_WMI_Activator.cmd

Filesize
20KB

MD5
2bfa7adab1e72364697516f18712eb94

SHA1
924a52c35200ff6ebbb6f2737c596c32e5132b46

SHA256
20c7afbc70a0bd09b4f16c6328d4cfd4ac35ec519fda73b24b19c184496c71b5

SHA512
306d2e9209d666f5b362034859f70aafcfde4c8805d641581f5eab37f7a5cdcbd66cf5b61d0f8288ae5603bec528f091d02af5cbe625e2f4cb841535d36d5b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4192.tmp\Menu.txt

Filesize
375B

MD5
71e82fbaa5fe2ba87fe73fe6ade59602

SHA1
80221aab127636fd192fff7db4f511d2e00c8396

SHA256
f302b50353e8622d2f22e82036e9fc723b8959a287f18c19a366a613c9f444d3

SHA512
e1210e6157b78a90d6b64459c6ae180dc84f503696cf7939582c5f5378a53b01591a0672f6e4a5a49fd0923504c23a8c777ff5c5b6d9ea5de0866b1bf8729fa3

Download Submit
\Users\Admin\AppData\Local\Temp\4192.tmp\Wselect.exe

Filesize
33KB

MD5
3b7a803898a010cb939a5dcb03fb2c54

SHA1
1687e2fd4f9063db3b748b02b45717672f29d7ad

SHA256
524bcc8134c339551d8748a9c8a2980c89ffa469fe1a983fa9d2c0f3df17b417

SHA512
3334456328fdaea27c051bacc471a9370ad560565fa40bcfcd7227992b659c18a1b6c6da86733b9c2b1dc0f12af7894f56050a6288b35f8db41cd5c51e145cbf

Download Submit
\Users\Admin\AppData\Local\Temp\4192.tmp\cmdFocus.exe

Filesize
5KB

MD5
f90f8672fa57ba4e8f0a05dec3ede654

SHA1
88bf7a0953e006ea8fcab76890635d4f83f0f438

SHA256
dbd9f0f72cf07c8ee54a256496d681585d8e6a6fb58aed64cdbf875f5091317f

SHA512
e2d75d81295cf70d6a45f9dc7a5fbace630d8bb4c99a480ace9feefdac9631af24e6074bfb2d3679f66c5db732717359eb5ede0c944cc414fb2c62103e8d0f3f

Download Submit
memory/2408-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2408-57-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2408-96-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download