Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

KMSAuto++.exe

windows10-1703-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMSAuto-1.7.2--1111.zip

  • Size

    16.8MB

  • Sample

    240225-m46lssaa99

  • MD5

    e66b68abccb19b307743111cb1a0b430

  • SHA1

    f2fe295a46f66341842999cc39af1b7ad72741cc

  • SHA256

    787d15b6681907876da506ec782434fad8f04e41c2371ce9900bdf7148962495

  • SHA512

    7d1e0b31d239f71d56e08134adece1ea6aa1c286ec011ebd9b9d2add3b0456ec114fb08e59a9c86048cfb8c2c1c670eed3feada605d79131764b0261dac26c62

  • SSDEEP

    393216:9Lu5rJ6wzvMNpcRGvd/vxan29jLWV3XKpPvItDR6UeQ29YrJeR:CrJhTMNSRwd/Ja29+XGoDsUeQHY

Score
10/10
evasionupx

Malware Config

Extracted

Language
ps1
Deobfuscated
1
&{(new-object net.webclient).downloadfile("http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab", "C:\\Users\\Admin\\AppData\\Local\\Temp\\over987332\\v32.cab")}
2
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
1
&{(new-object net.webclient).downloadfile("http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab", "C:\\Users\\Admin\\AppData\\Local\\Temp\\over496561\\v32.cab")}
2
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
1
&{(new-object net.webclient).downloadfile("http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab", "C:\\Users\\Admin\\AppData\\Local\\Temp\\over306273\\v32.cab")}
2
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
1
&{(new-object net.webclient).downloadfile("http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab", "C:\\Users\\Admin\\AppData\\Local\\Temp\\over737135\\v32.cab")}
2
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
1
&{(new-object net.webclient).downloadfile("http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20637/i640.cab", "C:\\Users\\Admin\\AppData\\Local\\Temp\\over737135\\i640.cab")}
2
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20637/i640.cab

Targets

    • Target

      KMSAuto++.exe

    • Size

      17.3MB

    • MD5

      2cb529469604258cdfdba8274b5b2421

    • SHA1

      4dd974f9a65c10c6e224d4475733ed3229160ba3

    • SHA256

      9e073291b0a34663a7052207e6fbcbaa924ddcb24665ee0615954b114bd95b29

    • SHA512

      05566816ab0809833f047b1d160efc8f4583ee8845d70fadd6caa1824b1e2250c6e24f76e9f1eb38ce39a8ba3935c90137dca9ff6b628f10142db0742ba08e39

    • SSDEEP

      393216:UdAG/8OKtOWhC6mlaF+J9hM/SonN+yibB+FmABoQMkkgKMh7o+:UmG0OIJYEF+J9wSoN+/d+o4oQZkgKMP

    Score
    10/10
    evasionupx

    • Blocklisted process makes network request

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.