Overview

overview

10

Static

static

5

KMSpico 11...ce.cmd

windows7-x64

8

KMSpico 11...ce.cmd

windows10-2004-x64

8

KMSpico 11...ms.exe

windows7-x64

10

KMSpico 11...ms.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)/UnInstall_Service.cmd

  • Size

    146B

  • MD5

    d228137b7b77d7ef3fcdc06ddabebeef

  • SHA1

    9415587011a75484fce405287a548d488973fd09

  • SHA256

    0552a48861a2c9825d51eeb0197a959dc85e4e960fb00cee89ccc4806eaadba8

  • SHA512

    7ca92a5b8bb303adfe4281db23c65eb2e1b22434411c0cae02aa688cfa3091edfd315cc816cd6d5a37cf8f6e647b1931329c1051df45b6135e75d0c023224ef9

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)\UnInstall_Service.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\sc.exe
      sc stop "Service KMSELDI"
      2⤵
      • Launches sc.exe
      PID:2720
    • C:\Windows\system32\sc.exe
      sc delete "Service KMSELDI"
      2⤵
      • Launches sc.exe
      PID:2744
    • C:\Windows\system32\sc.exe
      sc stop "KMSServerService"
      2⤵
      • Launches sc.exe
      PID:2756
    • C:\Windows\system32\sc.exe
      sc delete "KMSServerService"
      2⤵
      • Launches sc.exe
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads