Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 10:29
Behavioral task
behavioral1
Sample
HEU_KMS_Activator_v41.0.0/?????.url
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
HEU_KMS_Activator_v41.0.0/?????.url
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
HEU_KMS_Activator_v41.0.0/HEU_KMS_Activator_41.0.0.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
HEU_KMS_Activator_v41.0.0/HEU_KMS_Activator_41.0.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
HEU_KMS_Activator_v41.0.0/J?? - ??????????.url
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
HEU_KMS_Activator_v41.0.0/J?? - ??????????.url
Resource
win10v2004-20240508-en
General
-
Target
HEU_KMS_Activator_v41.0.0/HEU_KMS_Activator_41.0.0.exe
-
Size
4.6MB
-
MD5
fa79df6039c561f575313df699569ebb
-
SHA1
5cb7335465260a3cf159c094b4b03f6015acfc31
-
SHA256
97ea175e7c52b285708da26e606ff311538e03a4f875a59ded57cb8adf2f2c6d
-
SHA512
76710f37f80e1880f7d201cb1188040d170a905a1c3c5a198b0171925f54e85f31bf43c8bf153da54fcd8268fd28158e36f351188859f56ca755b0c82d65ff42
-
SSDEEP
98304:D+S9bg/0D8Gq3oWf+am87F/dazGbHvmcoVMRuT7mGfVmH68xeOq8:iMcsD8Gq3oqxJoybeBVLnmKVma8IP8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
7Z.EXEkms_x64.exepid process 4600 7Z.EXE 412 kms_x64.exe -
Processes:
resource yara_rule behavioral4/memory/4188-0-0x0000000000B20000-0x0000000001476000-memory.dmp upx C:\Windows\_temp_heu168yyds\x64\kms_x64.exe upx behavioral4/memory/412-208-0x00007FF6F3200000-0x00007FF6F351B000-memory.dmp upx behavioral4/memory/4188-211-0x0000000000B20000-0x0000000001476000-memory.dmp upx behavioral4/memory/412-212-0x00007FF6F3200000-0x00007FF6F351B000-memory.dmp upx behavioral4/memory/4188-213-0x0000000000B20000-0x0000000001476000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral4/memory/4188-211-0x0000000000B20000-0x0000000001476000-memory.dmp autoit_exe behavioral4/memory/412-212-0x00007FF6F3200000-0x00007FF6F351B000-memory.dmp autoit_exe behavioral4/memory/4188-213-0x0000000000B20000-0x0000000001476000-memory.dmp autoit_exe -
Drops file in Windows directory 64 IoCs
Processes:
7Z.EXEHEU_KMS_Activator_41.0.0.exedescription ioc process File opened for modification C:\Windows\_temp_heu168yyds\xml 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\24-2.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\9-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\smart-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB1.png 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\17-2.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\BACK4.jpg 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\BACK6.jpg 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\1-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\2-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\23-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\ewm_wx.jpg 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\TAB4.png 7Z.EXE File created C:\Windows\_temp_heu168yyds\x86\cleanospp.exe 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP HEU_KMS_Activator_41.0.0.exe File opened for modification C:\Windows\_temp_heu168yyds\pic\15-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\5-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\BACK3.jpg 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\update.ico 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\pic0\ver.ico 7Z.EXE File created C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\xml\SPPSvc.xml 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\xml HEU_KMS_Activator_41.0.0.exe File created C:\Windows\_temp_heu168yyds\pic\18-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\4-2.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\About.jpg 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\smart-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB2.png 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\x64\cleanospp.exe 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\20-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK5.jpg 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\message.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\Min.png 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\14-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\2-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\21-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK1.jpg 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\pic0\left.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\Renewal-Close1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\x86\kms.exe 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\Office2010OSPP 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\14-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\17-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\BACK2.jpg 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\pic0\head.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\Setting.png 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\TAB5.png 7Z.EXE File created C:\Windows\_temp_heu168yyds\7Z.EXE HEU_KMS_Activator_41.0.0.exe File created C:\Windows\_temp_heu168yyds\pic\12-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\2-2.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\22-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\23-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\24-2.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\5-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\7-2.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\Office2010OSPP\OSPP.VBS 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP HEU_KMS_Activator_41.0.0.exe File created C:\Windows\_temp_heu168yyds\pic\message.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\17-1.bmp 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\pic\19-1.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\2-3.bmp 7Z.EXE File created C:\Windows\_temp_heu168yyds\pic\Down.png 7Z.EXE File opened for modification C:\Windows\_temp_heu168yyds\OtherOfficeOSPP 7Z.EXE -
NTFS ADS 1 IoCs
Processes:
kms_x64.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\winmgmts:\root\CIMV2 kms_x64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7Z.EXEdescription pid process Token: SeRestorePrivilege 4600 7Z.EXE Token: 35 4600 7Z.EXE Token: SeSecurityPrivilege 4600 7Z.EXE Token: SeSecurityPrivilege 4600 7Z.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
HEU_KMS_Activator_41.0.0.exedescription pid process target process PID 4188 wrote to memory of 4600 4188 HEU_KMS_Activator_41.0.0.exe 7Z.EXE PID 4188 wrote to memory of 4600 4188 HEU_KMS_Activator_41.0.0.exe 7Z.EXE PID 4188 wrote to memory of 4600 4188 HEU_KMS_Activator_41.0.0.exe 7Z.EXE PID 4188 wrote to memory of 412 4188 HEU_KMS_Activator_41.0.0.exe kms_x64.exe PID 4188 wrote to memory of 412 4188 HEU_KMS_Activator_41.0.0.exe kms_x64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"C:\Users\Admin\AppData\Local\Temp\HEU_KMS_Activator_v41.0.0\HEU_KMS_Activator_41.0.0.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\_temp_heu168yyds\7Z.EXE"C:\Windows\_temp_heu168yyds\7Z.EXE" x "C:\Windows\_temp_heu168yyds\KMSmini.7z" -y -o"C:\Windows\_temp_heu168yyds"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Windows\_temp_heu168yyds\x64\kms_x64.exeC:\Windows\_temp_heu168yyds\x64\kms_x64.exe2⤵
- Executes dropped EXE
- NTFS ADS
PID:412
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD507519d22697940ba191d3eeb68436ab3
SHA1a2e79391705a6fd849dbdc79d457ec2d2ebf392c
SHA256e8d819f57a235e7a4e03ba7fa2e0d8e0a2b00d5c2456f7dba26f107caa3c8bea
SHA51225e830a135d1cf3a26b3a4d4a3b90db9ca39d5f4ac7efac8fba02cb91663b6a656c76ea34821567f80e3be3bb3f1f960b2bfcba5386baf963d41644a1897886d
-
Filesize
2.0MB
MD57c95298d1611c9e4bb4be126003cdc20
SHA1a59c8d542ff8210797247b0d8f0746ed1add66e1
SHA256f4f6f45d26e2b15267c59452b10b7b1d890a3b65e647adeb4c7296d90c34b7df
SHA5125104664b3036d5ee4209112db2f2da833e177a83691ad438fc20c467e80cfcedc784de6aae27401f40fa9bd9a3a6c6935702c0e42e3dc7f6afe64853021bf8be
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
1.4MB
MD5c7926c9b1dfe047575916f8016f36555
SHA188f149b25d40e4d124c45bef48a82d69fc5e7e34
SHA256c02c302c2f9861b4120664ad32b74280a5f13dae54735ad858691837aa496888
SHA51268e2efe32be775eff0c6c949ac5f3770be1ac9a5baabd85b73e6e0d987b4b593329d829a6cdd111379637adc81caf1cdc542d43c420c102405c239ee85cf9ec2
-
Filesize
1.4MB
MD54a7d374c8ad8419fa832fd29486024d0
SHA1e8793db9705d7beac3dc3c0394ed58ffd0022708
SHA25669ce16ddba934782fa656a69c28daef291f55d11ff19d78b83bd6736e6d6a8d1
SHA51255464c7f7c5918dee4f882e0f4c40758070c7d474be2cc763d6675cfc497464d11005e6c49f87eb1dc7603c831aec84d034dd0ccb1557b8221910191eb58b7aa