Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 22:25
Behavioral task
behavioral1
Sample
KMSAutox64.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
KMSAutox64.exe
Resource
win10v2004-20240709-en
General
-
Target
KMSAutox64.exe
-
Size
5.9MB
-
MD5
6ecf39f068e587aa11ee61f307b0da00
-
SHA1
d96ba5dcd69352161a907b5b627210ef980b174a
-
SHA256
ae8c825fb003b5aa90f7964da496033f9d0516e6744e89a010118fc6930808cb
-
SHA512
7fc55870553f26f925fbed061b73bf3c80359b82ee1ebae9885c73b9b32b6323664b92579494c8771fb1d37cef1249b8002528e07cf8b5e05370f180661c7cb0
-
SSDEEP
98304:BosFtqvtr/lkqM6WDEilHbShaFmv/MamYhplDsAFV6qzpuy98tKHT/EimO3SAvOb:B3TqvLXhU+k+LFV68RHTOQbN6H62UwX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2376 signtool.exe -
resource yara_rule behavioral1/memory/2068-0-0x0000000140000000-0x0000000140730000-memory.dmp upx behavioral1/memory/2068-63-0x0000000140000000-0x0000000140730000-memory.dmp upx behavioral1/memory/2068-67-0x0000000140000000-0x0000000140730000-memory.dmp upx -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C signtool.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 signtool.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3000 wmic.exe Token: SeSecurityPrivilege 3000 wmic.exe Token: SeTakeOwnershipPrivilege 3000 wmic.exe Token: SeLoadDriverPrivilege 3000 wmic.exe Token: SeSystemProfilePrivilege 3000 wmic.exe Token: SeSystemtimePrivilege 3000 wmic.exe Token: SeProfSingleProcessPrivilege 3000 wmic.exe Token: SeIncBasePriorityPrivilege 3000 wmic.exe Token: SeCreatePagefilePrivilege 3000 wmic.exe Token: SeBackupPrivilege 3000 wmic.exe Token: SeRestorePrivilege 3000 wmic.exe Token: SeShutdownPrivilege 3000 wmic.exe Token: SeDebugPrivilege 3000 wmic.exe Token: SeSystemEnvironmentPrivilege 3000 wmic.exe Token: SeRemoteShutdownPrivilege 3000 wmic.exe Token: SeUndockPrivilege 3000 wmic.exe Token: SeManageVolumePrivilege 3000 wmic.exe Token: 33 3000 wmic.exe Token: 34 3000 wmic.exe Token: 35 3000 wmic.exe Token: SeIncreaseQuotaPrivilege 3000 wmic.exe Token: SeSecurityPrivilege 3000 wmic.exe Token: SeTakeOwnershipPrivilege 3000 wmic.exe Token: SeLoadDriverPrivilege 3000 wmic.exe Token: SeSystemProfilePrivilege 3000 wmic.exe Token: SeSystemtimePrivilege 3000 wmic.exe Token: SeProfSingleProcessPrivilege 3000 wmic.exe Token: SeIncBasePriorityPrivilege 3000 wmic.exe Token: SeCreatePagefilePrivilege 3000 wmic.exe Token: SeBackupPrivilege 3000 wmic.exe Token: SeRestorePrivilege 3000 wmic.exe Token: SeShutdownPrivilege 3000 wmic.exe Token: SeDebugPrivilege 3000 wmic.exe Token: SeSystemEnvironmentPrivilege 3000 wmic.exe Token: SeRemoteShutdownPrivilege 3000 wmic.exe Token: SeUndockPrivilege 3000 wmic.exe Token: SeManageVolumePrivilege 3000 wmic.exe Token: 33 3000 wmic.exe Token: 34 3000 wmic.exe Token: 35 3000 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2068 KMSAutox64.exe 2068 KMSAutox64.exe 2068 KMSAutox64.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2544 2068 KMSAutox64.exe 30 PID 2068 wrote to memory of 2544 2068 KMSAutox64.exe 30 PID 2068 wrote to memory of 2544 2068 KMSAutox64.exe 30 PID 2068 wrote to memory of 2376 2068 KMSAutox64.exe 32 PID 2068 wrote to memory of 2376 2068 KMSAutox64.exe 32 PID 2068 wrote to memory of 2376 2068 KMSAutox64.exe 32 PID 2068 wrote to memory of 2376 2068 KMSAutox64.exe 32 PID 2068 wrote to memory of 3000 2068 KMSAutox64.exe 34 PID 2068 wrote to memory of 3000 2068 KMSAutox64.exe 34 PID 2068 wrote to memory of 3000 2068 KMSAutox64.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y2⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2376
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5b3ddc9f8bbe70669e7cef25092671f20
SHA113c37b9c6b974ec1bdd7a28ae5de08126845189a
SHA256c13734415d8c0322f08b3145c93e3520eacd0c4b0d935180cccafbd8ec9ba986
SHA5124c1d3ca991abfa066025242bfb9aa5c3e00a5f83055febfd9737edbaf0641a0c0a14808a460599988230a897fa65150cd6783d2093914cbe26b0b0554c172d24
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31