b14e62ac4c5a1874e019d507112c0e48bc724c11ffb95950150af274b035618a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

130_office/_mini-KMS Activator office 2010/mini-KMS Activator v1.054 MS VL/mini-KMS_Activator_v1.054_ENG.exe
Size

1.0MB
MD5

553bf8a98f58a30776ff5b36b22d240f
SHA1

a0b7bd37d5c9a2a630e1b340be0b93cf6bf62b8e
SHA256

1a63e2f2666b286942dd3df919cf0cee813dde131dc8287aec61ff940d49d5a3
SHA512

1d3c1ba2b6dcdca3c7fda3d0d4417bede4ac9850837e149f70f580c6f2a06592e3161257d6caefdfeae8c5d86b1476e4340b5adff4e0121ea8e71637e78741e0
SSDEEP

24576:9jEfKu2FNYe+PpoCcoNhyw77vf2oH9oGUwatIW5haKJ2:REfoNYe+PpeoNhy07veWOwaWW5A

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral6/files/0x0006000000023230-50.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	mini-KMS_Activator_v1.054_ENG.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	cscript.exe
4464	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
4464	autorun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/4048-0-0x0000000000400000-0x000000000068F000-memory.dmp	upx
behavioral6/files/0x0006000000023230-50.dat	upx
behavioral6/memory/4464-53-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral6/memory/4048-61-0x0000000000400000-0x000000000068F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3264	4048	mini-KMS_Activator_v1.054_ENG.exe	91
PID 4048 wrote to memory of 3264	4048	mini-KMS_Activator_v1.054_ENG.exe	91
PID 4048 wrote to memory of 3264	4048	mini-KMS_Activator_v1.054_ENG.exe	91
PID 3264 wrote to memory of 2628	3264	cmd.exe	94
PID 3264 wrote to memory of 2628	3264	cmd.exe	94
PID 3264 wrote to memory of 2628	3264	cmd.exe	94
PID 3264 wrote to memory of 4464	3264	cmd.exe	99
PID 3264 wrote to memory of 4464	3264	cmd.exe	99
PID 3264 wrote to memory of 4464	3264	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\130_office\_mini-KMS Activator office 2010\mini-KMS Activator v1.054 MS VL\mini-KMS_Activator_v1.054_ENG.exe
"C:\Users\Admin\AppData\Local\Temp\130_office\_mini-KMS Activator office 2010\mini-KMS Activator v1.054 MS VL\mini-KMS_Activator_v1.054_ENG.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\Run.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\cscript.exe
    cscript HS_MESSAGE.vbs "Did you run the program as Administrator? " "Activation Tool" Q YESNO 30
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\autorun.exe
    autorun.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\HS_MESSAGE.vbs

Filesize
796B

MD5
af0559e0301b2f75fa7ce812c5296de8

SHA1
205ddd069a599d20f0e91e17bbf3250eb339cc9e

SHA256
56a32a3cd84010b6517ed492ae6eadac54e5a903f4a0d21b4db32431416d82a2

SHA512
b80b0a1e9f142b16fcd54b24b23b637115454bf637d1abbaf8f9076a33148331e26668dadaa16202fbdbfcdcb152db519a26cee52a01af82149fdf2af2e70db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\Run.cmd

Filesize
1KB

MD5
c5bf78ff7772bf1a035127d5a1481900

SHA1
263b20bf4cb68898248e2cde1eebf00fbbc3b07b

SHA256
a333a30f79c23ed0a0018a649fb3769f733fc730238b85011ed3d978024445fc

SHA512
6010338a9373725d420446a1897ce132facec5019b58eeb8d73c2f7faefdf8b77dbce495cb4cc438941799f9dd3d51ead4b2bbd4faf115c2a8fa7f88dd08a1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\autorun.apm

Filesize
261KB

MD5
6f3817ce3a03daeb02da10fd263c63d0

SHA1
aab986f14523dab7a34cc163cf279c480aa29e2c

SHA256
99860f8d7e15745722d83498fa2a83c65712d9f126edaa3747bb6331a3b4d60d

SHA512
22b9a98a853a2bc11370dc8f428a13e66719577cac3c7c75dc34a08ac4be479392d8af0a3e50fd030543bd7342148e431fe32b9725d0aa0bc3de20767cdff980

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\autorun.exe

Filesize
1.4MB

MD5
ea1d7e51901c29521eb2096dec601582

SHA1
d20dd9584e02172334844e2f06766ceee7edda65

SHA256
8ec5f0d58806c8a6b08382ad62d10eaa67afbd81151960e3be3da844f0e81209

SHA512
90ed45009857e9d2ea182ba07b26e6a5dde9df564c0ae6797aa1b02589ae262698c736835f4d6d154544a42e3b6b1e5a8b306ff3f4464726cf9f64bc4a8d81be

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\cscript.exe

Filesize
76KB

MD5
2e4b93b9e84d114ec0e3555feb7818ec

SHA1
be2e4deb3fd86ebd6f3eae32325b52985d61793e

SHA256
d65518fd4e77e4fb39f9a27a4c52b76824c3e00b2ba98b3c406d027d0d36dd67

SHA512
a948d819e3ff95062774a1a97eb1d5b2d59d5f5e41d5cefcb2aa1846723ef4d7598b242d404f0bd9e0972763e60e2537f7aaa3b4b31f875db9f3e4a57635793a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AA1.tmp\cscript.exe

Filesize
149KB

MD5
34098403f9d8f71ce2ec749122168e89

SHA1
0aed0994e4b43bc3ecc2106dc1c1d3210c82b7d7

SHA256
12df0b06a9b56dce3efdb85984f84b387b1a5b61c9ebbf5a3bd61a5fbb996f60

SHA512
e5b27d305b2a1c411bffbbf6c6534a92ce17af807c69344ed31a2fee42639ac5fef97ef4a654c4d6b2b8d42ba808856b857e9b4d8c008a7ba98adbab6c6b9372

Download Submit
C:\Users\Admin\AppData\Local\Temp\apm8240.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
memory/4048-0-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/4048-61-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/4464-48-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4464-53-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/4464-62-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4464-67-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download