Overview

overview

10

Static

static

9

KMS Tools ...on.cmd

windows10-ltsc 2021-x64

8

KMS Tools ...le.chm

windows10-ltsc 2021-x64

1

KMS Tools ...te.exe

windows10-ltsc 2021-x64

10

KMS Tools ...a0.exe

windows10-ltsc 2021-x64

3

KMS Tools ...a1.exe

windows10-ltsc 2021-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMSTools.zip

  • Size

    235.9MB

  • Sample

    241228-1sw5watjgl

  • MD5

    1cad8011c9780a23057803fcfb782b13

  • SHA1

    bec3141cbb57511ac672c08a1ecf12caa423ee2f

  • SHA256

    fd82570ab9005bb8112794a80707da320118e73d6b686df67ca40b0acd082af4

  • SHA512

    e691b23980a4fc8429ca54a545e911817f4c4d0299d10481447e0a0fb8528fa6e2adb5e8b7109f0259440caaf951bced0b85fe3da2400bc4f99b245708d05e4b

  • SSDEEP

    6291456:0cmBT4vTZgx40SDqt7gzzoHuKBKdwDQgtB7s:oBEJ0Se7mfKmXgfs

Score
10/10
rmsdefense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojan

Malware Config

Targets

    • Target

      KMS Tools Lite Portable/Add_Defender_Exclusion.cmd

    • Size

      1KB

    • MD5

      efb1737fb3e0a36a7eec9e7e19a03e94

    • SHA1

      821a211e5cbe22ee8f02e284b4ee469f482f26d3

    • SHA256

      e5373f2f8736fae03e915b72737aff496facb9460c211b91c21bb2d7a232d36b

    • SHA512

      1119b229e5a9b99579454c80de00185511fc3c2a727ceb4b82824e678c21e16488e37423d05e8e89de6799aab6ee713d3ba5e81b612b3d15d7cbd64d18a4baee

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral1

    • Target

      KMS Tools Lite Portable/KMS Tools Portable.chm

    • Size

      645KB

    • MD5

      16498d20922a580ad81241d9cf7dcdf0

    • SHA1

      dc05b5089e993e85ee8e10b174a15f6bb03e2532

    • SHA256

      7fbcbf065ce1626694df8c443c377d0478cf32601fe74b0fd742fbcfb4f94a3f

    • SHA512

      5696b2c214311bc1e6f77ff77109d85fd15dbaf04b0ebbca67bcfb3fd054f85ee7c4dfde489dd2ae87a311f39a2fc14d9849ccaf4caeea7c03d88de5973594fa

    • SSDEEP

      12288:05sHaRh+WTUuOGNfLecMT1oDe68MCUPAQiAnmApgxGhh/meSiPAF7:05rtTUgtLmordPACnmggonRYt

    Score
    1/10
    behavioral2

    • Target

      KMS Tools Lite Portable/KMSTools Lite.exe

    • Size

      5.4MB

    • MD5

      db9c455f121b95bf2326ca1939dad9cf

    • SHA1

      6ea25badededb817ba6b18c830906cdbbaf04837

    • SHA256

      b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770

    • SHA512

      61200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1

    • SSDEEP

      98304:TZ5uVBk4qgixN8bt2iGsDEmQUz9pMXnyhMiigWHDnETbvzb4EHMuZ:TXCu0bt2iGqLQaonyh9i9HDnszbdZ

    Score
    10/10
    rmsdefense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Rms family

      rms

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      KMS Tools Lite Portable/data0.bin

    • Size

      213.0MB

    • MD5

      9a179115f8f2771db1e41f8dd9512b7f

    • SHA1

      e80018af5e320557f621b35acb2ac25d2dd8ec8f

    • SHA256

      d6229fed007c774f52a8fad1bbbd184fc036440a786bec9e0a839565ba521c77

    • SHA512

      2143b716a144693d804bf9d7458c804f3bff3432d11f0815dcadc9664347dcd5dcb0b0b5790ec3b92061cd58f5ba5a4cc1ea7fa5174d4d8db8668441a6c74d5c

    • SSDEEP

      6291456:OorliqWI/KmbMNHNGwxODJu43vyO0pyDWJ5Dr:OotWMb4IwAkU0pyk5Dr

    Score
    3/10
    discovery
    behavioral4

    • Target

      KMS Tools Lite Portable/data1.bin

    • Size

      19.2MB

    • MD5

      c3c5adf650d5cf05bd1b08590d62cf53

    • SHA1

      7781e1ecd78490ebaeb73314855efadff2bfeeed

    • SHA256

      ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861

    • SHA512

      79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

    • SSDEEP

      393216:p0leyIB6YMU/OZ28Zrms74w4WKy7sI2MqJ6i9HDBt3EtuXKoR:p4K6YMU/OZThb7l46FqEQHDBt3EtuXK

    Score
    3/10
    discovery
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks