Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 22:25

General

  • Target

    KMSAutox64.exe

  • Size

    5.9MB

  • MD5

    6ecf39f068e587aa11ee61f307b0da00

  • SHA1

    d96ba5dcd69352161a907b5b627210ef980b174a

  • SHA256

    ae8c825fb003b5aa90f7964da496033f9d0516e6744e89a010118fc6930808cb

  • SHA512

    7fc55870553f26f925fbed061b73bf3c80359b82ee1ebae9885c73b9b32b6323664b92579494c8771fb1d37cef1249b8002528e07cf8b5e05370f180661c7cb0

  • SSDEEP

    98304:BosFtqvtr/lkqM6WDEilHbShaFmv/MamYhplDsAFV6qzpuy98tKHT/EimO3SAvOb:B3TqvLXhU+k+LFV68RHTOQbN6H62UwX

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
      2⤵
        PID:740
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2536
      • C:\Users\Admin\AppData\Local\Temp\signtool.exe
        "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"
        2⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1616
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3416
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
          3⤵
            PID:3048
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\System32\Wbem\WMIC.exe
            WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
            3⤵
              PID:4404
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Windows\System32\Wbem\WMIC.exe
              WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
              3⤵
                PID:2588

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\signtool.exe

            Filesize

            323KB

            MD5

            05624e6d27eaef0db0673ae627bd6027

            SHA1

            b155c76bf59992a8d75d0e3a59dc94f24aff2591

            SHA256

            962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

            SHA512

            233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

          • memory/1388-0-0x0000000140000000-0x0000000140730000-memory.dmp

            Filesize

            7.2MB

          • memory/1388-10-0x0000000140000000-0x0000000140730000-memory.dmp

            Filesize

            7.2MB