| File name: | KMS 360 Pro - Lite 4644.zip |
| Full analysis: | https://app.any.run/tasks/167ef720-4eab-4100-9344-3fd391431979 |
| Verdict: | Malicious activity |
| Analysis date: | January 13, 2024, 18:37:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 91BED3FE7733CE6130C793E781436349 |
| SHA1: | CDBEF8F148837DF1CB726855CBE96CB640CB0235 |
| SHA256: | 359C0A07CA150AF16D77689EE616DDFF928100929010554E7614D56956339048 |
| SSDEEP: | 98304:IYlbMYRVmJmSt3MnqYt9rFzZe389VKGvvZuJ3GL61ieKryooR7KWfWELEwaFoSHh:xu03SeG7uKYasc+ |
MALICIOUS
Starts Visual C# compiler
- KMS 360 Pro - Lite.exe (PID: 1780)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1356)
- csc.exe (PID: 1540)
SUSPICIOUS
Uses .NET C# to load dll
- KMS 360 Pro - Lite.exe (PID: 1780)
Executable content was dropped or overwritten
- csc.exe (PID: 1540)
Reads the Internet Settings
- WMIC.exe (PID: 1748)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 2248)
Starts CMD.EXE for commands execution
- KMS 360 Pro - Lite.exe (PID: 1780)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1356)
Reads the computer name
- KMS 360 Pro - Lite.exe (PID: 1780)
Checks supported languages
- KMS 360 Pro - Lite.exe (PID: 1780)
- csc.exe (PID: 1540)
- cvtres.exe (PID: 2304)
Manual execution by a user
- KMS 360 Pro - Lite.exe (PID: 1780)
Reads the machine GUID from the registry
- KMS 360 Pro - Lite.exe (PID: 1780)
- csc.exe (PID: 1540)
- cvtres.exe (PID: 2304)
Create files in a temporary directory
- KMS 360 Pro - Lite.exe (PID: 1780)
- csc.exe (PID: 1540)
- cvtres.exe (PID: 2304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:04:30 18:27:32 |
| ZipCRC: | 0x43552554 |
| ZipCompressedSize: | 7626265 |
| ZipUncompressedSize: | 14777856 |
| ZipFileName: | KMS 360 Pro - Lite.exe |
Total processes
46
Monitored processes
6
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1356 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMS 360 Pro - Lite 4644.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1540 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xuhjgumg.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | KMS 360 Pro - Lite.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 1748 | WMIC /NAMESPACE:\\root\CIMV2 PATH SoftwareLicensingProduct WHERE "name like '%Windows%' and PartialProductKey IS NOT NULL" Get Name,LicenseStatus,Description /format:list | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1780 | "C:\Users\admin\Desktop\KMS 360 Pro - Lite.exe" | C:\Users\admin\Desktop\KMS 360 Pro - Lite.exe | explorer.exe | ||||||||||||
User: admin Company: Il Webmaster 21 Integrity Level: HIGH Description: KMS 360 Pro - Lite Exit code: 0 Version: 4.6.4.4 Modules
| |||||||||||||||
| 2248 | "cmd.exe" /c WMIC /NAMESPACE:\\root\CIMV2 PATH SoftwareLicensingProduct WHERE "name like '%Windows%' and PartialProductKey IS NOT NULL" Get Name,LicenseStatus,Description /format:list | C:\Windows\System32\cmd.exe | — | KMS 360 Pro - Lite.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2304 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5A61.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5A60.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
Total events
1 537
Read events
1 528
Write events
9
Delete events
0
Modification events
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1356) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2304 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES5A61.tmp | binary | |
MD5:D82229954BBCF4B18A636A3622C841BE | SHA256:E9C8DBD577BCD4B7D26A18633CFD33924CF63DBB02885957DBF9EAABD34EB104 | |||
| 1356 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1356.4686\KMS 360 Pro - Lite.exe | executable | |
MD5:1D7143E2AE489AFB9D202B74F0FC4789 | SHA256:8FFE406C3684C9C41F31CF4AE6E337A4634549520E9CF18756F6B66372665889 | |||
| 1780 | KMS 360 Pro - Lite.exe | C:\Users\admin\AppData\Local\Temp\xuhjgumg.cmdline | text | |
MD5:67F67975D500CB78232CCDDFF585A26F | SHA256:745F72D9AB87657FFBA576A71ADFA95DA9033B79D3A9AE2366232B56378DCCCF | |||
| 1540 | csc.exe | C:\Users\admin\AppData\Local\Temp\xuhjgumg.out | text | |
MD5:BDB1C1E6A2B56616654A4FB9513ED682 | SHA256:0655440EF93CF6B88DF69216F44B0284A846AE4DA47A35CD2A34A1F57DA5CBDE | |||
| 1540 | csc.exe | C:\Users\admin\AppData\Local\Temp\xuhjgumg.dll | executable | |
MD5:953D146B3E0C78C67593CE5DBB438593 | SHA256:BD0F0AA0E7E67F135FFC78E48178D84B1712CA2BB19C30F0FDD4E7B7364253A2 | |||
| 1780 | KMS 360 Pro - Lite.exe | C:\Users\admin\AppData\Local\Temp\xuhjgumg.0.cs | text | |
MD5:290CB594F3FDE6545A1D51CF82A42048 | SHA256:7BD4B4BD89BAB9BFA5F981BF4B666B1AE93FED3B0121EC9EF111FC02D9845EBE | |||
| 1540 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5A60.tmp | binary | |
MD5:BAAA75243A7D5C2A471C8AEE5EFAD79B | SHA256:3A542F472CB64C6B85707C3B16001BC510162ED77271648922A566F1A88F0F92 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
KMS 360 Pro - Lite.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
KMS 360 Pro - Lite.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
KMS 360 Pro - Lite.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
KMS 360 Pro - Lite.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
KMS 360 Pro - Lite.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
KMS 360 Pro - Lite.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
KMS 360 Pro - Lite.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
KMS 360 Pro - Lite.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
KMS 360 Pro - Lite.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
KMS 360 Pro - Lite.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|