35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
Size

17.1MB
MD5

fa0e322603aaf81e5fa0a87eb1c09709
SHA1

06c4419a8d992ca2c5e0b082cb7b8884aedc7135
SHA256

fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7
SHA512

258082e619cb8ea13f97de4438eb2bbd98ab04bb744e7b3ae40eaa311feceba80d9110ec9f42c1867bc7d3c2d7baf296fac1b03cf9d38db17c4a83d753cc62c1
SSDEEP

393216:8YGbY6iHonlQCe88BGAOvDPuyyjIIn98BP7ZrsBSrOi83t:87Y2CCeSupnQsBFt

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe

Executes dropped EXE 1 IoCs

pid	Process
5396	AActtive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMSAuto-AActtive-API = "C:\\ProgramData\\KMSAuto\\AActtive.exe"	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5312	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
Token: SeDebugPrivilege	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
Token: SeDebugPrivilege	5396	AActtive.exe
Token: SeDebugPrivilege	5396	AActtive.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 3480	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	95
PID 460 wrote to memory of 3480	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	95
PID 460 wrote to memory of 5396	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	97
PID 460 wrote to memory of 5396	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	97
PID 460 wrote to memory of 5456	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	98
PID 460 wrote to memory of 5456	460	fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe	98
PID 5456 wrote to memory of 5312	5456	cmd.exe	100
PID 5456 wrote to memory of 5312	5456	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe
"C:\Users\Admin\AppData\Local\Temp\fc3b729bc6897f8c971ac81084f74f2ea976b7854afae826afefb1a34629bbf7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn KMSAuto-AActtive-API /tr "C:\ProgramData\KMSAuto\AActtive.exe" /st 06:46 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3480
- C:\ProgramData\KMSAuto\AActtive.exe
  "C:\ProgramData\KMSAuto\AActtive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5456
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\AActtive.exe

Filesize
17.7MB

MD5
f7af83ca864995e9e8e78be5612b3bf7

SHA1
28cf1ae7dcc5763db1cd4b42be7e53d724d8bf45

SHA256
357503a706755c7ec7009c9a1ca754efc39edcfb54010cd6f0949347dca5a5a1

SHA512
46130a47c30e3cc1231720677f4fb0956ad9fc84eac83547bbf349388f480e7025bc1ba4c04809bd9b43506a9498f6f7956ba3e1f8eaa373b265180de9df989c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E3.tmp.bat

Filesize
215B

MD5
4dde33b0bc1b92a783b1c87ec79efd10

SHA1
0037421be0d539e0b84970430a69384eb790f116

SHA256
debb670977fb7a6de7ed67bec6ef4c8d4740a5bf0216037c1d5fe9ab5853b60a

SHA512
86a273a78c3d83bf96dabcc87eb4668a213f46e4cdf7e288f2731e37e30bc0cdbf56451ee604efbbf02f44ee90b2206d772731c022c421159534c9a2849478e9

Download Submit
memory/460-3-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/460-0-0x00007FF910C73000-0x00007FF910C75000-memory.dmp

Filesize
8KB

Download
memory/460-4-0x00007FF910C73000-0x00007FF910C75000-memory.dmp

Filesize
8KB

Download
memory/460-5-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/460-2-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/460-18-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/460-1-0x00000000007D0000-0x0000000000812000-memory.dmp

Filesize
264KB

Download
memory/5396-17-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/5396-19-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/5396-21-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/5396-22-0x00007FF910C70000-0x00007FF911731000-memory.dmp

Filesize
10.8MB

Download
memory/5396-23-0x000000001C500000-0x000000001C602000-memory.dmp

Filesize
1.0MB

Download