General
-
Target
KMS_VL_ALL_AIO-master.zip
-
Size
12KB
-
Sample
240801-aa84lszhpn
-
MD5
01d4bc416d709adb626fefac8d2a0159
-
SHA1
74095ff6e58fa3b70dfa5f455030f24e8be172a6
-
SHA256
228bb528dc4202ca0ee4b88643607d2a5f13ed506b458f78fb9c7cf1637ba67c
-
SHA512
c723af9eb11c82fbcb606b26bededc957854e121c27bcdbdde9343e257ea29f0270673589eb035b07b13fadfc16e6c4b6400d668fa7f4d9d20c47cb49af6e09d
-
SSDEEP
192:b8Mmw2Vs5cpm0gkUyvwq/YkbZp5TbzBl70xWRsySpPIDoz4i/fCvyCQloZYGc92d:QVbCEh/70cpShMoU8bbL92+hVCCY
Static task
static1
Behavioral task
behavioral1
Sample
KMS_VL_ALL_AIO-master.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
KMS_VL_ALL_AIO-master/LICENSE
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
KMS_VL_ALL_AIO-master/README.md
Resource
win10-20240404-en
Malware Config
Extracted
lumma
https://kaminiasbbefow.shop/api
https://applyzxcksdia.shop/api
https://replacedoxcjzp.shop/api
https://declaredczxi.shop/api
https://catchddkxozvp.shop/api
https://arriveoxpzxo.shop/api
https://contemplateodszsv.shop/api
https://bindceasdiwozx.shop/api
https://conformfucdioz.shop/api
Extracted
lumma
https://applyzxcksdia.shop/api
https://violanntyisopz.shop/api
Targets
-
-
Target
KMS_VL_ALL_AIO-master.zip
-
Size
12KB
-
MD5
01d4bc416d709adb626fefac8d2a0159
-
SHA1
74095ff6e58fa3b70dfa5f455030f24e8be172a6
-
SHA256
228bb528dc4202ca0ee4b88643607d2a5f13ed506b458f78fb9c7cf1637ba67c
-
SHA512
c723af9eb11c82fbcb606b26bededc957854e121c27bcdbdde9343e257ea29f0270673589eb035b07b13fadfc16e6c4b6400d668fa7f4d9d20c47cb49af6e09d
-
SSDEEP
192:b8Mmw2Vs5cpm0gkUyvwq/YkbZp5TbzBl70xWRsySpPIDoz4i/fCvyCQloZYGc92d:QVbCEh/70cpShMoU8bbL92+hVCCY
Score1/10 -
-
-
Target
KMS_VL_ALL_AIO-master/LICENSE
-
Size
34KB
-
MD5
1ebbd3e34237af26da5dc08a4e440464
-
SHA1
31a3d460bb3c7d98845187c716a30db81c44b615
-
SHA256
3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
-
SHA512
d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686
-
SSDEEP
768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum
Score1/10 -
-
-
Target
KMS_VL_ALL_AIO-master/README.md
-
Size
198B
-
MD5
c4148b2a33c5d4dccd54c895e9a8cdfc
-
SHA1
29a13950a93d0c0178e6dcc98743237a5ba9f721
-
SHA256
b1beddcbe408e1eeca9b2171d9e2e1fc2c4202098b5c3768424867aa19b9187b
-
SHA512
0176cfedfcde965045f8c18edcdb60ee1417f9e3a508e8baf443f31591542d936afcc065fd4de1433b14842f717415655380bc513a7b70a8ab09dbfd07bce95a
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1