Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 22:25
Behavioral task
behavioral1
Sample
KMSAutox64.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
KMSAutox64.exe
Resource
win10v2004-20240709-en
General
-
Target
KMSAutox64.exe
-
Size
5.9MB
-
MD5
6ecf39f068e587aa11ee61f307b0da00
-
SHA1
d96ba5dcd69352161a907b5b627210ef980b174a
-
SHA256
ae8c825fb003b5aa90f7964da496033f9d0516e6744e89a010118fc6930808cb
-
SHA512
7fc55870553f26f925fbed061b73bf3c80359b82ee1ebae9885c73b9b32b6323664b92579494c8771fb1d37cef1249b8002528e07cf8b5e05370f180661c7cb0
-
SSDEEP
98304:BosFtqvtr/lkqM6WDEilHbShaFmv/MamYhplDsAFV6qzpuy98tKHT/EimO3SAvOb:B3TqvLXhU+k+LFV68RHTOQbN6H62UwX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1616 signtool.exe -
resource yara_rule behavioral2/memory/1388-0-0x0000000140000000-0x0000000140730000-memory.dmp upx behavioral2/memory/1388-10-0x0000000140000000-0x0000000140730000-memory.dmp upx -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C signtool.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 signtool.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2536 WMIC.exe Token: SeSecurityPrivilege 2536 WMIC.exe Token: SeTakeOwnershipPrivilege 2536 WMIC.exe Token: SeLoadDriverPrivilege 2536 WMIC.exe Token: SeSystemProfilePrivilege 2536 WMIC.exe Token: SeSystemtimePrivilege 2536 WMIC.exe Token: SeProfSingleProcessPrivilege 2536 WMIC.exe Token: SeIncBasePriorityPrivilege 2536 WMIC.exe Token: SeCreatePagefilePrivilege 2536 WMIC.exe Token: SeBackupPrivilege 2536 WMIC.exe Token: SeRestorePrivilege 2536 WMIC.exe Token: SeShutdownPrivilege 2536 WMIC.exe Token: SeDebugPrivilege 2536 WMIC.exe Token: SeSystemEnvironmentPrivilege 2536 WMIC.exe Token: SeRemoteShutdownPrivilege 2536 WMIC.exe Token: SeUndockPrivilege 2536 WMIC.exe Token: SeManageVolumePrivilege 2536 WMIC.exe Token: 33 2536 WMIC.exe Token: 34 2536 WMIC.exe Token: 35 2536 WMIC.exe Token: 36 2536 WMIC.exe Token: SeIncreaseQuotaPrivilege 2536 WMIC.exe Token: SeSecurityPrivilege 2536 WMIC.exe Token: SeTakeOwnershipPrivilege 2536 WMIC.exe Token: SeLoadDriverPrivilege 2536 WMIC.exe Token: SeSystemProfilePrivilege 2536 WMIC.exe Token: SeSystemtimePrivilege 2536 WMIC.exe Token: SeProfSingleProcessPrivilege 2536 WMIC.exe Token: SeIncBasePriorityPrivilege 2536 WMIC.exe Token: SeCreatePagefilePrivilege 2536 WMIC.exe Token: SeBackupPrivilege 2536 WMIC.exe Token: SeRestorePrivilege 2536 WMIC.exe Token: SeShutdownPrivilege 2536 WMIC.exe Token: SeDebugPrivilege 2536 WMIC.exe Token: SeSystemEnvironmentPrivilege 2536 WMIC.exe Token: SeRemoteShutdownPrivilege 2536 WMIC.exe Token: SeUndockPrivilege 2536 WMIC.exe Token: SeManageVolumePrivilege 2536 WMIC.exe Token: 33 2536 WMIC.exe Token: 34 2536 WMIC.exe Token: 35 2536 WMIC.exe Token: 36 2536 WMIC.exe Token: SeIncreaseQuotaPrivilege 3416 wmic.exe Token: SeSecurityPrivilege 3416 wmic.exe Token: SeTakeOwnershipPrivilege 3416 wmic.exe Token: SeLoadDriverPrivilege 3416 wmic.exe Token: SeSystemProfilePrivilege 3416 wmic.exe Token: SeSystemtimePrivilege 3416 wmic.exe Token: SeProfSingleProcessPrivilege 3416 wmic.exe Token: SeIncBasePriorityPrivilege 3416 wmic.exe Token: SeCreatePagefilePrivilege 3416 wmic.exe Token: SeBackupPrivilege 3416 wmic.exe Token: SeRestorePrivilege 3416 wmic.exe Token: SeShutdownPrivilege 3416 wmic.exe Token: SeDebugPrivilege 3416 wmic.exe Token: SeSystemEnvironmentPrivilege 3416 wmic.exe Token: SeRemoteShutdownPrivilege 3416 wmic.exe Token: SeUndockPrivilege 3416 wmic.exe Token: SeManageVolumePrivilege 3416 wmic.exe Token: 33 3416 wmic.exe Token: 34 3416 wmic.exe Token: 35 3416 wmic.exe Token: 36 3416 wmic.exe Token: SeIncreaseQuotaPrivilege 3416 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1388 KMSAutox64.exe 1388 KMSAutox64.exe 1388 KMSAutox64.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1388 wrote to memory of 740 1388 KMSAutox64.exe 83 PID 1388 wrote to memory of 740 1388 KMSAutox64.exe 83 PID 1388 wrote to memory of 4764 1388 KMSAutox64.exe 84 PID 1388 wrote to memory of 4764 1388 KMSAutox64.exe 84 PID 4764 wrote to memory of 2536 4764 cmd.exe 87 PID 4764 wrote to memory of 2536 4764 cmd.exe 87 PID 1388 wrote to memory of 1616 1388 KMSAutox64.exe 88 PID 1388 wrote to memory of 1616 1388 KMSAutox64.exe 88 PID 1388 wrote to memory of 1616 1388 KMSAutox64.exe 88 PID 1388 wrote to memory of 3416 1388 KMSAutox64.exe 90 PID 1388 wrote to memory of 3416 1388 KMSAutox64.exe 90 PID 1388 wrote to memory of 908 1388 KMSAutox64.exe 94 PID 1388 wrote to memory of 908 1388 KMSAutox64.exe 94 PID 908 wrote to memory of 3048 908 cmd.exe 96 PID 908 wrote to memory of 3048 908 cmd.exe 96 PID 1388 wrote to memory of 2252 1388 KMSAutox64.exe 97 PID 1388 wrote to memory of 2252 1388 KMSAutox64.exe 97 PID 2252 wrote to memory of 4404 2252 cmd.exe 99 PID 2252 wrote to memory of 4404 2252 cmd.exe 99 PID 1388 wrote to memory of 4988 1388 KMSAutox64.exe 102 PID 1388 wrote to memory of 4988 1388 KMSAutox64.exe 102 PID 4988 wrote to memory of 2588 4988 cmd.exe 104 PID 4988 wrote to memory of 2588 4988 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y2⤵PID:740
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAutox64.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1616
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"3⤵PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"3⤵PID:4404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"3⤵PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31