| File name: | KMS Tools Portable 07.01.2018 by Ratiborus.zip |
| Full analysis: | https://app.any.run/tasks/4c0e0232-466a-4b64-b3ce-bf889220424b |
| Verdict: | Malicious activity |
| Analysis date: | May 07, 2024, 12:02:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | EF857004A4D36ABF19EFFD0AB6F7449E |
| SHA1: | 664E9B4975106638F5F82F8BD37C1B739B5A9F31 |
| SHA256: | 4F1630CA6660BF983E5E0DEA7462D808C3BA21AFA83A96894102456AF4589CF2 |
| SSDEEP: | 98304:q5eZjM6EpfJ92Lwlhg0Mpp7Y/kg5hlLqH9A8aFNUz7AEB3f/ZUw2xJfFGbgwRzUa:qqZrmG |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3988)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3988)
Reads the Internet Settings
- hh.exe (PID: 4032)
Reads Microsoft Outlook installation path
- hh.exe (PID: 4032)
Reads Internet Explorer settings
- hh.exe (PID: 4032)
Process drops legitimate windows executable
- WinRAR.exe (PID: 3988)
Starts a Microsoft application from unusual location
- signtool.exe (PID: 2104)
- signtool.exe (PID: 124)
INFO
Reads the machine GUID from the registry
- hh.exe (PID: 4032)
Create files in a temporary directory
- hh.exe (PID: 4032)
Reads security settings of Internet Explorer
- hh.exe (PID: 4032)
Checks proxy server information
- hh.exe (PID: 4032)
Creates files or folders in the user directory
- hh.exe (PID: 4032)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3988)
Checks supported languages
- signtool.exe (PID: 2104)
- signtool.exe (PID: 124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2018:01:11 09:23:42 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | KMS Tools Portable 07.01.2018 by Ratiborus/ |
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.22683\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.22683\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Authenticode(R) - signing and verifying tool Exit code: 1 Version: 4.00 (rs1_release_sec.170105-1850) Modules
| |||||||||||||||
| 2104 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Authenticode(R) - signing and verifying tool Exit code: 1 Version: 4.00 (rs1_release_sec.170105-1850) Modules
| |||||||||||||||
| 3988 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMS Tools Portable 07.01.2018 by Ratiborus.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4032 | "C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3988.20722\KMS Tools Portable.chm | C:\Windows\hh.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 806
Read events
4 773
Write events
33
Delete events
0
Modification events
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KMS Tools Portable 07.01.2018 by Ratiborus.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
6
Suspicious files
4
Text files
47
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4032 | hh.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\_template[1].css | text | |
MD5:AB5BE7866083FC6233445F8AC51AB57C | SHA256:C0254BDDB7DAC7B1E7902A9A5313F2BCF9790113EEE8833E2AD01E377C6C79E0 | |||
| 4032 | hh.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1].JPG | image | |
MD5:3BE7C960CC06F8FDF2D51EFC78058A51 | SHA256:4D6C5FC38B910D6338A26F5C27E7D924408FD1C1214B5D1249D37CEB0812F7DD | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\KMS Tools Portable.chm | chm | |
MD5:79FA459A8939F68326267E236EF342FE | SHA256:00736DFDA94398896A02D5209EC2F49D9D5C4F2929E31C0E1ED08F0A287D3C7F | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3988.20722\KMS Tools Portable.chm | binary | |
MD5:79FA459A8939F68326267E236EF342FE | SHA256:00736DFDA94398896A02D5209EC2F49D9D5C4F2929E31C0E1ED08F0A287D3C7F | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Lite Portable v1.3.5\readme_cn.txt | text | |
MD5:58AB0311B36306BE659362047FBD2249 | SHA256:B981C30548A9D3BEDD586AA3518AE2126E3125F7373C57A9894D490FC5E9E240 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Lite Portable v1.3.5\readme_en.txt | text | |
MD5:6980665B04D74BFBC6A515FE39AC13D5 | SHA256:3563CDEE2B96ACD16D4DC5A3D947C0985EEECFBC4164E849C0C51BBE0F9362AA | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Lite Portable v1.3.5\readme_bg.txt | text | |
MD5:3DC93E848E295C5DA960AEE29726DD40 | SHA256:D8DB82A473F618170FCFC254EE29BBE67FFF89FD74D660A21CBA6384E51AAF89 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Lite Portable v1.3.5\readme_ru.txt | text | |
MD5:8B2F052358BDDC1333C0D17EBA59BAC9 | SHA256:DA32B2769C632591D17CCD6B5C1B34A92AE5363765AD06EDEEE78A6833C8E328 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_cn.txt | text | |
MD5:331ABF76B15C262AB1062B2A4133EF1D | SHA256:563DF1A8135D7A95B83732402E5E7B9758ED087BE77713BE3FB3F16368A0E626 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_bg.txt | text | |
MD5:C55477D53DC34F0C75E62E9657C6A443 | SHA256:99D0EDB27FB925CED9CC874B9DFEE992922C793CB3DC2FF316C27FC5C2F95CB8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |