ba17f6c79ca1b88ef400c2ea683766604000a9c0164963181c25250fefd5bcec

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 11:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

KMS.exe
Size

2.0MB
MD5

4c85602ecd371fba3d45d8ab68fbc19d
SHA1

6100900b5a3e778276fb21eccb1a6e0aec8094b5
SHA256

ba17f6c79ca1b88ef400c2ea683766604000a9c0164963181c25250fefd5bcec
SHA512

4520815639e9c26376b9c1896adcc04497a74e29b7ed611f4d9b6402595684d1a21e6a9f232548dcb439b7c0a3440fd4c8ea55c43c2fd874a32514e278d719b2
SSDEEP

24576:o5UIl0ppFn+PQyOAyEFn/wI1gOpMXePDA9yutbzM1j/gRo7RJVNolK:oR0pPWz/wI1gMVPU9yEM1j/gRGXNqK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	KMS.exe

Executes dropped EXE 3 IoCs

pid	Process
1708	g.exe
1272	c.exe
3704	c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	g.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
744	msedge.exe
744	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	KMS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1708	3044	KMS.exe	98
PID 3044 wrote to memory of 1708	3044	KMS.exe	98
PID 3044 wrote to memory of 1708	3044	KMS.exe	98
PID 3044 wrote to memory of 1272	3044	KMS.exe	100
PID 3044 wrote to memory of 1272	3044	KMS.exe	100
PID 4944 wrote to memory of 3584	4944	msedge.exe	120
PID 4944 wrote to memory of 3584	4944	msedge.exe	120
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 1420	4944	msedge.exe	121
PID 4944 wrote to memory of 744	4944	msedge.exe	122
PID 4944 wrote to memory of 744	4944	msedge.exe	122
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123
PID 4944 wrote to memory of 1636	4944	msedge.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\KMS.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\Temp\g.exe
  "C:\Windows\Temp\g.exe" Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1708
- C:\Windows\Temp\c.exe
  "C:\Windows\Temp\c.exe" -o -altto C:\Windows\Temp\
  2⤵
  - Executes dropped EXE
  PID:1272
- - C:\Windows\Temp\c.exe
    "C:\Windows\Temp\c.exe" -o -altto C:\Windows\Temp\ -ppl C:\Users\Admin\AppData\Local\Temp\temB258.tmp
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf0f74f9fh3eefh47b9h9b51h66d97f293f2f
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ff81f0746f8,0x7ff81f074708,0x7ff81f074718
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18107722469646077796,6034218541288738038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18107722469646077796,6034218541288738038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18107722469646077796,6034218541288738038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7030bb7742c072919fff98937161286f

SHA1
e92d7f34360e722e1b14d0c60ef91c4998a8b21b

SHA256
837767eb9a5b8028f767cec954e484e1f96ad65c8cdcacc38a2956a1220b892e

SHA512
56eef96b29a7f79d286873b498594c8b7a2cb70f8c9c2cbe314c1855699c6d5a1a1e2be40eb63bf89d3fbbf909e08f91c56a43319bf0ee79b0610f411786693a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d99ac6ab09c51d32a924db2b741ce1ef

SHA1
d6983b261f2ea5fdf81cfee11d710b9bb5ef44f1

SHA256
689f908b0417b8a9abd5801a14752a294539514a210da29bd7e04d9763123d4c

SHA512
35bdb78cb8abbc75001818d8a766c742cb04173c84aab05582aa17df26cbf24ed2df9e85bc654d218eb0b2288edc95610277857445c58b4315eba294916b08cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\temB258.tmp

Filesize
206B

MD5
b13af738aa8be55154b2752979d76827

SHA1
64a5f927720af02a367c105c65c1f5da639b7a93

SHA256
663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b

SHA512
cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4

Download Submit
C:\Windows\Temp\GenuineTicket.xml

Filesize
1KB

MD5
ae379697f381ea4ff57e361ec7ffefb9

SHA1
5471c204f3548bc4f8b9871333da00577ebf333e

SHA256
a487e33f1c9da0d2aba00add825d8098b35426fda29e06fc268e22dffc6ccbda

SHA512
ed6174f58614d2bafd59069777363df9547b39b5756e11549a8a8b52e800063642f286aeb70fec8d1223919fc8648170f7bb7bad752402f5f4760ebd48a7c46d

Download Submit
C:\Windows\Temp\c.exe

Filesize
1.3MB

MD5
bd1908ab0887873fce6b059822599e4e

SHA1
48d928b1bec25a56fe896c430c2c034b7866aa7a

SHA256
0d6e9f6bbd0321eda149658d96040cb4f79e0bd93ba60061f25b28fecbf4d4ef

SHA512
e602efef6d697cdb0c958df3210331170c354edf1c372975d5edd71c884f2de26c6bad07e4caea4f7832ad42a9fe9c8c1b72ca24734a6d464f108864d0a8cf4c

Download Submit
C:\Windows\Temp\g.exe

Filesize
330KB

MD5
a58ea746f5d78d1ce5c43885ae06eebb

SHA1
0cc709275767e0aa7bd69236e364a45e66aad9ab

SHA256
1f6e56a5467ab472c915cd98b4e93226182684358ca1cdc14ec3bbb2e584b3e7

SHA512
f102d59a74f63f9ba4ead4ed653ffd7020e2d45cea5eb3497994a0283444fabe34c9fa1479dc7ba0d699508d86b5154a5170c648c180d247fe20f66e1f015c28

Download Submit
memory/1272-52-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-51-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-53-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-42-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-37-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-38-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/1272-39-0x000002999F6D0000-0x000002999F6E0000-memory.dmp

Filesize
64KB

Download
memory/3044-10-0x00007FF824010000-0x00007FF8249B1000-memory.dmp

Filesize
9.6MB

Download
memory/3044-5-0x000000001C8A0000-0x000000001C93C000-memory.dmp

Filesize
624KB

Download
memory/3044-107-0x00007FF824010000-0x00007FF8249B1000-memory.dmp

Filesize
9.6MB

Download
memory/3044-1-0x00007FF824010000-0x00007FF8249B1000-memory.dmp

Filesize
9.6MB

Download
memory/3044-11-0x00007FF824010000-0x00007FF8249B1000-memory.dmp

Filesize
9.6MB

Download
memory/3044-4-0x000000001C3D0000-0x000000001C89E000-memory.dmp

Filesize
4.8MB

Download
memory/3044-6-0x000000001C9C0000-0x000000001CA22000-memory.dmp

Filesize
392KB

Download
memory/3044-0-0x00007FF8242C5000-0x00007FF8242C6000-memory.dmp

Filesize
4KB

Download
memory/3044-9-0x00007FF8242C5000-0x00007FF8242C6000-memory.dmp

Filesize
4KB

Download
memory/3044-8-0x00007FF824010000-0x00007FF8249B1000-memory.dmp

Filesize
9.6MB

Download
memory/3044-7-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/3044-56-0x000000001B560000-0x000000001B580000-memory.dmp

Filesize
128KB

Download
memory/3704-49-0x000001FF12DC0000-0x000001FF12DD0000-memory.dmp

Filesize
64KB

Download
memory/3704-45-0x000001FF12DC0000-0x000001FF12DD0000-memory.dmp

Filesize
64KB

Download
memory/3704-48-0x000001FF12DC0000-0x000001FF12DD0000-memory.dmp

Filesize
64KB

Download
memory/3704-43-0x000001FF12DC0000-0x000001FF12DD0000-memory.dmp

Filesize
64KB

Download
memory/3704-44-0x000001FF12DC0000-0x000001FF12DD0000-memory.dmp

Filesize
64KB

Download