Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 06:18
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto Net.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
KMSAuto Net.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
KMSCleaner.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
KMSCleaner.exe
Resource
win10v2004-20240508-en
General
-
Target
KMSAuto Net.exe
-
Size
7.9MB
-
MD5
f1fe671bcefd4630e5ed8b87c9283534
-
SHA1
9ff0546074213231e695e67324aba64e2e65d2c2
-
SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
-
SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
SSDEEP
196608:C38lywCAfywOweqyw3ywsywXywZywnywZywBywEyw4ywwywmIBywyywsyw/ywiys:EDwCAqwUnwiwxwCwUwywUw8wJwVwtwiB
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1844 wrote to memory of 2924 1844 KMSAuto Net.exe 28 PID 1844 wrote to memory of 2924 1844 KMSAuto Net.exe 28 PID 1844 wrote to memory of 2924 1844 KMSAuto Net.exe 28 PID 1844 wrote to memory of 2924 1844 KMSAuto Net.exe 28 PID 1844 wrote to memory of 2988 1844 KMSAuto Net.exe 30 PID 1844 wrote to memory of 2988 1844 KMSAuto Net.exe 30 PID 1844 wrote to memory of 2988 1844 KMSAuto Net.exe 30 PID 1844 wrote to memory of 2988 1844 KMSAuto Net.exe 30 PID 1844 wrote to memory of 2864 1844 KMSAuto Net.exe 32 PID 1844 wrote to memory of 2864 1844 KMSAuto Net.exe 32 PID 1844 wrote to memory of 2864 1844 KMSAuto Net.exe 32 PID 1844 wrote to memory of 2864 1844 KMSAuto Net.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cmd.execmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"2⤵PID:2864
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6B
MD59f06243abcb89c70e0c331c61d871fa7
SHA1fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
SHA512b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86