| File name: | KMS Tools Portable 07.01.2018 by Ratiborus.zip |
| Full analysis: | https://app.any.run/tasks/4c0e0232-466a-4b64-b3ce-bf889220424b |
| Verdict: | Malicious activity |
| Analysis date: | May 07, 2024, 12:02:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | EF857004A4D36ABF19EFFD0AB6F7449E |
| SHA1: | 664E9B4975106638F5F82F8BD37C1B739B5A9F31 |
| SHA256: | 4F1630CA6660BF983E5E0DEA7462D808C3BA21AFA83A96894102456AF4589CF2 |
| SSDEEP: | 98304:q5eZjM6EpfJ92Lwlhg0Mpp7Y/kg5hlLqH9A8aFNUz7AEB3f/ZUw2xJfFGbgwRzUa:qqZrmG |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3988)
SUSPICIOUS
Reads the Internet Settings
- hh.exe (PID: 4032)
Reads Microsoft Outlook installation path
- hh.exe (PID: 4032)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3988)
Reads Internet Explorer settings
- hh.exe (PID: 4032)
Process drops legitimate windows executable
- WinRAR.exe (PID: 3988)
Starts a Microsoft application from unusual location
- signtool.exe (PID: 2104)
- signtool.exe (PID: 124)
INFO
Create files in a temporary directory
- hh.exe (PID: 4032)
Reads the machine GUID from the registry
- hh.exe (PID: 4032)
Checks proxy server information
- hh.exe (PID: 4032)
Creates files or folders in the user directory
- hh.exe (PID: 4032)
Reads security settings of Internet Explorer
- hh.exe (PID: 4032)
Checks supported languages
- signtool.exe (PID: 2104)
- signtool.exe (PID: 124)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2018:01:11 09:23:42 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | KMS Tools Portable 07.01.2018 by Ratiborus/ |
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.22683\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.22683\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Authenticode(R) - signing and verifying tool Exit code: 1 Version: 4.00 (rs1_release_sec.170105-1850) Modules
| |||||||||||||||
| 2104 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\signtool.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Authenticode(R) - signing and verifying tool Exit code: 1 Version: 4.00 (rs1_release_sec.170105-1850) Modules
| |||||||||||||||
| 3988 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMS Tools Portable 07.01.2018 by Ratiborus.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4032 | "C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3988.20722\KMS Tools Portable.chm | C:\Windows\hh.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 806
Read events
4 773
Write events
33
Delete events
0
Modification events
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KMS Tools Portable 07.01.2018 by Ratiborus.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
6
Suspicious files
4
Text files
47
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\readme.txt | text | |
MD5:A34225F6332CDA74648EB7A128DF4321 | SHA256:4E1926DB70B761898ABE366033AFB81FC7A6BBEC66153117A2B4E340B67F5B5E | |||
| 4032 | hh.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\_template[1].css | text | |
MD5:AB5BE7866083FC6233445F8AC51AB57C | SHA256:C0254BDDB7DAC7B1E7902A9A5313F2BCF9790113EEE8833E2AD01E377C6C79E0 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_en.txt | text | |
MD5:D3CB6D4222275D20965FADAF211B6F7B | SHA256:0B92CCD1EBE970BE36D35DC5B4E4887DAD4CC77A1AA6544AB735884C17478BB5 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Lite Portable v1.3.5\readme_ru.txt | text | |
MD5:8B2F052358BDDC1333C0D17EBA59BAC9 | SHA256:DA32B2769C632591D17CCD6B5C1B34A92AE5363765AD06EDEEE78A6833C8E328 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_ua.txt | text | |
MD5:853F6D7D56D1553AC885EEBC29F12250 | SHA256:EEC7E2B2086874AECBCD0A9235DF0CBDBCCC2EF2BB206443E6FECF47330ACDB1 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_bg.txt | text | |
MD5:C55477D53DC34F0C75E62E9657C6A443 | SHA256:99D0EDB27FB925CED9CC874B9DFEE992922C793CB3DC2FF316C27FC5C2F95CB8 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_fr.txt | text | |
MD5:6BDE29D200D4A7A9A704F49F73207C7D | SHA256:250973C8879BB759AAC7F31582FFFB00414BFC5449FE4979F2A2B44EC4664D70 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_kms.txt | text | |
MD5:352709B6AED3902D4399F6615A7A7E70 | SHA256:D3BEF0FEF19603B33B86E1CA431A25CB8A6DF047058E073BBF8BB931533217AA | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_ru.txt | text | |
MD5:B80B5C0627B4107CC858F8653969A766 | SHA256:B9FB6228A9EFDCD0CEF968B921C1A8E98435078AE5D63E66FE6C1F0B10101668 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.21106\KMS Tools Portable 07.01.2018 by Ratiborus\Programs\KMSAuto Net 2016 v1.5.3 Portable\readme\readme_es.txt | text | |
MD5:A509B07A4DD2B8C071E603317BA56063 | SHA256:7474EEBB4B6F28F8C93F86FB684CB27BE73BAA448919531D331CAF2F137759CE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |