Overview

overview

10

Static

static

9

KMSTools Lite.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMSTools Lite.exe

  • Size

    19.2MB

  • Sample

    241122-syrtcazjhn

  • MD5

    c3c5adf650d5cf05bd1b08590d62cf53

  • SHA1

    7781e1ecd78490ebaeb73314855efadff2bfeeed

  • SHA256

    ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861

  • SHA512

    79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

  • SSDEEP

    393216:p0leyIB6YMU/OZ28Zrms74w4WKy7sI2MqJ6i9HDBt3EtuXKoR:p4K6YMU/OZThb7l46FqEQHDBt3EtuXK

Score
10/10
defense_evasiondiscoveryevasionexecutionprivilege_escalation

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/7983bac0-e531-40cf-be00-fd24fe66619c/Office/Data/16.0.17932.20162/i640.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/7983bac0-e531-40cf-be00-fd24fe66619c/Office/Data/16.0.17932.20162/i643082.cab

Targets

    • Target

      KMSTools Lite.exe

    • Size

      19.2MB

    • MD5

      c3c5adf650d5cf05bd1b08590d62cf53

    • SHA1

      7781e1ecd78490ebaeb73314855efadff2bfeeed

    • SHA256

      ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861

    • SHA512

      79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

    • SSDEEP

      393216:p0leyIB6YMU/OZ28Zrms74w4WKy7sI2MqJ6i9HDBt3EtuXKoR:p4K6YMU/OZThb7l46FqEQHDBt3EtuXK

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionprivilege_escalation

    • Blocklisted process makes network request

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks