83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
Size

21.8MB
MD5

53d77e893eadb542ec6ed0205edb0426
SHA1

9f64ea0034fb697f2e79bbc765744dc94d56f363
SHA256

10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409
SHA512

25e6c899034b2cb7c2e58025c88136e1f13e336dd6083031664687666bb64489c0309c26e1e0ebd86f1ffa3202d81ad3fb134be07074752bb05640201ca34cdc
SSDEEP

393216:8YGbY6iHonlQCe88BYdY3SHFPJXFODKSbT3DIfpTwmZf0of12Wmv2ZyX+vVAAc:87Y2CCe4dAmFOmSPMhpfTf15mv2ZyURc

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	AActtive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMSAuto-AActtive-API = "C:\\ProgramData\\KMSAuto\\AActtive.exe"	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3056	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
Token: SeDebugPrivilege	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
Token: SeDebugPrivilege	2756	AActtive.exe
Token: SeDebugPrivilege	2756	AActtive.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2616	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	30
PID 2316 wrote to memory of 2616	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	30
PID 2316 wrote to memory of 2616	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	30
PID 2316 wrote to memory of 2756	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	32
PID 2316 wrote to memory of 2756	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	32
PID 2316 wrote to memory of 2756	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	32
PID 2316 wrote to memory of 3044	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	33
PID 2316 wrote to memory of 3044	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	33
PID 2316 wrote to memory of 3044	2316	10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe	33
PID 3044 wrote to memory of 3056	3044	cmd.exe	35
PID 3044 wrote to memory of 3056	3044	cmd.exe	35
PID 3044 wrote to memory of 3056	3044	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe
"C:\Users\Admin\AppData\Local\Temp\10ebd229b72489e6960490381681c51b84b6a0430cfc5fd556edae41b0871409.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn KMSAuto-AActtive-API /tr "C:\ProgramData\KMSAuto\AActtive.exe" /st 08:03 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2616
- C:\ProgramData\KMSAuto\AActtive.exe
  "C:\ProgramData\KMSAuto\AActtive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA554.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\AActtive.exe

Filesize
22.4MB

MD5
54e72295c488da4d242d4f3e41538e53

SHA1
292aa829c57f09b8e74c661a068fb18c11504b38

SHA256
b9067932062a86a9efb2f3b48c95f4ed605793a28395558ddff848a20e84a81d

SHA512
8ca30795957b35ef37306f9ad886edda9eb3191de61cbf5ece3dc9fb42d88946700c706b394d1a0d351aa8de04677f7db412d7c2e290b33cf7bf71bf8bbcb577

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA554.tmp.bat

Filesize
216B

MD5
e24dbd3859499e27f6dff9818d47c1fa

SHA1
31fee3ea9cd5aaea1cb31c07c6eb1a65929ef41f

SHA256
c1a5675b456a64f83434efd014ada5bc675e3b701d23b3e426e46d5f4f9bffc5

SHA512
e59198b5096dbb283a356ed13ba824e4fa4ce1b3eda2ab53d4aa906e2edd65f080f8c695c1ab1a201be4c5af431fca7b9f9929ad4d8bb006a85d104aa1bda6ca

Download Submit
memory/2316-2-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2316-0-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

Filesize
4KB

Download
memory/2316-4-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

Filesize
4KB

Download
memory/2316-5-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-3-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-1-0x0000000000F70000-0x0000000000FB2000-memory.dmp

Filesize
264KB

Download
memory/2316-23-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-13-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2756-15-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-14-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-25-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-26-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download