Analysis
-
max time kernel
59s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 19:52
General
-
Target
c39e5e577360a09a924844399e1953fb.exe
-
Size
17.7MB
-
MD5
c39e5e577360a09a924844399e1953fb
-
SHA1
cfcede39f7afad0df9473c8cd9d328db72dbd90b
-
SHA256
e8955e77203db68470ff9461e2faf9deed3df0c3fab1b0fd5d4c8a6595f5c72c
-
SHA512
78b865dbbefafce9a9948a14e2013c3650d028d87e3ed4b2a5d4281687c826b3cd8044274c0e54853f6b48533ac07af3065c6ad34b629c22587f26ad5aee35c7
-
SSDEEP
393216:8YGbY6iHonlQCe88BYdY3SHFPJXFODKSblmY+:87Y2CCe4dAmFOmSJm9
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c39e5e577360a09a924844399e1953fb.exe"C:\Users\Admin\AppData\Local\Temp\c39e5e577360a09a924844399e1953fb.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /tn KMSAuto-AActtive-API /tr "C:\ProgramData\KMSAuto\AActtive.exe" /st 19:58 /du 23:59 /sc daily /ri 1 /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\KMSAuto\AActtive.exe"C:\ProgramData\KMSAuto\AActtive.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2175.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 63⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18.4MB
MD5247b46be8d2ef44c1a0c5474b90e1cf6
SHA148dcba87b1d2f3daada9d8bca964d7680cd7f60e
SHA2565e169fd02fdc74c097576fa99c90b38496cfe073ea8e8ffa7c7784f24df6c5d6
SHA5124c0e1f72f15becbaf79f5c1b800380fa5b72044a3b4f8340176b14ef8c5079b35aa326951e6147e8c6d76550df2b63b3b23e749bdf9b370ddc45608aaf278b06
-
Filesize
184B
MD5f0df801d6204f6015f85229e39362ba2
SHA1f1e7a3740756852f9fee585dc105138353e0d319
SHA2567db647334c3d9bbd3a7c37c65a15fd7f43e92b47b9340b08ff591bb47db8a05c
SHA5126011d05c807b57da470c787f432608154ef2b4fd25460b1decaa4b46862870e4fcf691caa28fce9ea86d150ea7974c63eeb5447b30b07b4039da1ff246382c8a
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
264KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
264KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB