2b302085bd587fbe8e6717abde5d479ab07c0a00df31e9b6350ac011be2d8023

General

Target

c90b56abe43cb4a0d456142d3be959eb.exe
Size

30.1MB
MD5

c90b56abe43cb4a0d456142d3be959eb
SHA1

8caf6bca2436dd17f4c3742b11f156e909c2610c
SHA256

2b302085bd587fbe8e6717abde5d479ab07c0a00df31e9b6350ac011be2d8023
SHA512

ac5bd54286de64a3570c7ce5b40b2c1f0d75ca36ffe459be41a9bccdb63f710d35ee1770b1c129e74e33385d8dd584b9a010b92152280389179c214d30c5deaf
SSDEEP

786432:KgCUk385ogiNaAU1ey0uLoCiq2465CLSBpuMM3NZCdKCKkYCG:K5Uks5XvFL0u0Rq2465aSBId3bCqn

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	KMSINS~1.EXE

Executes dropped EXE 4 IoCs

pid	Process
3756	KMSINS~1.EXE
3088	KMSNAN~1.EXE
3256	KMSNAN~1.tmp
4064	TriggerKMS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c90b56abe43cb4a0d456142d3be959eb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\KMSnano\is-34DDD.tmp	KMSNAN~1.tmp
File opened for modification	C:\Program Files\KMSnano\KMSnano.exe	KMSNAN~1.tmp
File created	C:\Program Files\KMSnano\is-MQT8G.tmp	KMSNAN~1.tmp
File opened for modification	C:\Program Files\KMSnano\TriggerKMS.exe	KMSNAN~1.tmp
File created	C:\Program Files\KMSnano\is-EK9E5.tmp	KMSNAN~1.tmp
File opened for modification	C:\Program Files\KMSnano\unins000.dat	KMSNAN~1.tmp
File created	C:\Program Files\KMSnano\unins000.dat	KMSNAN~1.tmp
File created	C:\Program Files\KMSnano\is-T1G6L.tmp	KMSNAN~1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1500	3756	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSNAN~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSNAN~1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c90b56abe43cb4a0d456142d3be959eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSINS~1.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2740	ipconfig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3256	KMSNAN~1.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3756	KMSINS~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3756	3308	c90b56abe43cb4a0d456142d3be959eb.exe	88
PID 3308 wrote to memory of 3756	3308	c90b56abe43cb4a0d456142d3be959eb.exe	88
PID 3308 wrote to memory of 3756	3308	c90b56abe43cb4a0d456142d3be959eb.exe	88
PID 3756 wrote to memory of 2740	3756	KMSINS~1.EXE	93
PID 3756 wrote to memory of 2740	3756	KMSINS~1.EXE	93
PID 3756 wrote to memory of 2740	3756	KMSINS~1.EXE	93
PID 3308 wrote to memory of 3088	3308	c90b56abe43cb4a0d456142d3be959eb.exe	98
PID 3308 wrote to memory of 3088	3308	c90b56abe43cb4a0d456142d3be959eb.exe	98
PID 3308 wrote to memory of 3088	3308	c90b56abe43cb4a0d456142d3be959eb.exe	98
PID 3088 wrote to memory of 3256	3088	KMSNAN~1.EXE	99
PID 3088 wrote to memory of 3256	3088	KMSNAN~1.EXE	99
PID 3088 wrote to memory of 3256	3088	KMSNAN~1.EXE	99
PID 3256 wrote to memory of 4064	3256	KMSNAN~1.tmp	104
PID 3256 wrote to memory of 4064	3256	KMSNAN~1.tmp	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c90b56abe43cb4a0d456142d3be959eb.exe
"C:\Users\Admin\AppData\Local\Temp\c90b56abe43cb4a0d456142d3be959eb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSINS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSINS~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1272
    3⤵
    - Program crash
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSNAN~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSNAN~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\is-DGLCT.tmp\KMSNAN~1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DGLCT.tmp\KMSNAN~1.tmp" /SL5="$B0060,31415440,419840,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSNAN~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Program Files\KMSnano\TriggerKMS.exe
      "C:\Program Files\KMSnano\TriggerKMS.exe" 31 KMSnano.exe /install /battery
      4⤵
      Executes dropped EXE
      PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3756 -ip 3756
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\KMSnano\KMSnano.exe

Filesize
29.5MB

MD5
a74f7344da8bf7268dae85d31d8ed96e

SHA1
626268da585a189c31afdb733a24b3182428e4b6

SHA256
75e18021c22b16708d0434960e923fbe70103e16a1f5af73af3aa9cff923eeb3

SHA512
f3ff247c84a5ccf1ffbfdf80d76595be3ea62d550d623cb25793957ddb9053fc9f099b20b2b0eb0e71db71730eef60eff03a19a6d75c67833f05fd57599c0f01

Download Submit
C:\Program Files\KMSnano\TriggerKMS.exe

Filesize
53KB

MD5
29b81898034ef7692a242e49310e0411

SHA1
dea3963376169acf0ae8aaaf33aa02d7c2a54a62

SHA256
71bf677490e022e71a7c37b0a5d575de344b5fc015371533ecb913db161ce7bc

SHA512
821ff3715fecba1eca24049bc06daee5b7be62d49e75f322e129f71e11d338ba5c9218a5d7d9a1895f83a55e0b7c362afe258de9818e1b75d193b20dc3b395a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSINS~1.EXE

Filesize
549KB

MD5
244b3796cfe11a2ba7d04dc560486bab

SHA1
dc6eec0a8b7983b20a8b5e684790e1d2c4743fc2

SHA256
c42d53e10202b005e178984eee8e55a93cf595101ee019e582b2ae67475fdb04

SHA512
a734284bb73b6450feaa1c064f825a375fe0e06f391d8d90d67772c920e14571ca8deb81e32a3d6a9a6e8b0a715f2ce001a82f4cd95c846dae40a523043e1de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KMSNAN~1.EXE

Filesize
30.3MB

MD5
9cb8d56bc4d5e41ce323d068252e7dbf

SHA1
79cedf531c38cb51fdc9745bbcb60dc320ab8c57

SHA256
b91e1c2a1c648f0c2d71dbe15f32d71eadc125c57abaa671fe5a5f6ea5354efd

SHA512
501d228360fd822bf0e58ddd95f968de935a7a01d406c790c7473943ba716bbf60d3149b2abd4efd30e756125750ef9337d91120f396c076d4632d3467b0bbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DGLCT.tmp\KMSNAN~1.tmp

Filesize
1.0MB

MD5
482476f3383a56937be472dbba765a41

SHA1
647e623f8186759c4ab92e08e18ae985f5f5d88a

SHA256
16de5d3fbaf18c39bc1e082de955c2c23285bbfbd24105f94825e8b751ecd60c

SHA512
70bb2fee6cf068166a90b97de6eec22b5571748d9f8b36ae0dc0bbcfbdf30f787d72da854d6cb8b712508af6482156e376d3a2a68df165493ea051122db5fa3f

Download Submit
memory/3088-27-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3088-16-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3088-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3256-28-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3256-30-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3256-62-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3256-66-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3756-12-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3756-11-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3756-10-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3756-9-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/4064-59-0x0000000000060000-0x0000000000074000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads