| File name: | 55.107mini-kms_activator_v1 2_office2010_vl_eng.rar |
| Full analysis: | https://app.any.run/tasks/9b6aa4b9-7ccf-400c-a9c0-f3655a080650 |
| Verdict: | Malicious activity |
| Analysis date: | May 06, 2019, 20:21:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v4, os: Win32 |
| MD5: | 41E21CD0F46F314319FD20D2CD5C344D |
| SHA1: | 9C8ADBD781C86879F92D90925E3D156E66D4FA3E |
| SHA256: | 7302967252193ADC141D3AFC8442741205B436E6C5AC1EA873628F10A5D77B7B |
| SSDEEP: | 24576:w97k84WP23716PXDtF5j14xrnvDb8Q5N3LpyhWh:ioWSsPD75h8nbIEUWh |
MALICIOUS
Application was dropped or rewritten from another process
- mini-kms_activator_v1 2_office2010_vl_eng.exe (PID: 1920)
- autorun.exe (PID: 3060)
- hs_message.exe (PID: 2052)
- PortQry.exe (PID: 2380)
- choice.exe (PID: 2972)
- instsrv.exe (PID: 2668)
- srvany.exe (PID: 2156)
- KMService.exe (PID: 324)
- cscript.exe (PID: 2712)
Starts NET.EXE for service management
- cmd.exe (PID: 2508)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1928)
- mini-kms_activator_v1 2_office2010_vl_eng.exe (PID: 1920)
- autorun.exe (PID: 3060)
- cmd.exe (PID: 2508)
Starts CMD.EXE for commands execution
- mini-kms_activator_v1 2_office2010_vl_eng.exe (PID: 1920)
- autorun.exe (PID: 3060)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 2508)
Creates files in the Windows directory
- cmd.exe (PID: 2508)
- rundll32.exe (PID: 2488)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 2508)
Creates or modifies windows services
- rundll32.exe (PID: 2488)
Starts SC.EXE for service management
- cmd.exe (PID: 2508)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
EXIF
ZIP
| CompressedSize: | 1041896 |
|---|---|
| UncompressedSize: | 1057280 |
| OperatingSystem: | Win32 |
| ModifyDate: | 2015:04:12 15:42:00 |
| PackingMethod: | Normal |
| ArchivedFileName: | mini-kms_activator_v1 2_office2010_vl_eng.exe |
Total processes
59
Monitored processes
20
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 324 | C:\Windows\KMService.exe | C:\Windows\KMService.exe | — | srvany.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 900 | C:\Windows\system32\net1 start osppsvc | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1572 | cmd /c ""C:\Users\admin\AppData\Local\Temp\A342.tmp\Start.cmd" " | C:\Windows\system32\cmd.exe | — | mini-kms_activator_v1 2_office2010_vl_eng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1920 | "C:\Users\admin\Desktop\mini-kms_activator_v1 2_office2010_vl_eng.exe" | C:\Users\admin\Desktop\mini-kms_activator_v1 2_office2010_vl_eng.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\55.107mini-kms_activator_v1 2_office2010_vl_eng.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2052 | HS_MESSAGE "Did you run the program as Administrator? " "Activation Tool" Q YESNO | C:\Users\admin\AppData\Local\Temp\A342.tmp\hs_message.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 6 Modules
| |||||||||||||||
| 2072 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\55.107mini-kms_activator_v1 2_office2010_vl_eng.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2148 | findstr /i /r NOT.LISTENING | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2156 | C:\Windows\system32\srvany.exe | C:\Windows\system32\srvany.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 2216 | sc start KMService | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 352
Read events
1 310
Write events
42
Delete events
0
Modification events
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1928) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1928) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\55.107mini-kms_activator_v1 2_office2010_vl_eng.rar | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2072) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
15
Suspicious files
0
Text files
16
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\Start.cmd | text | |
MD5:8C6446CD79A6A05491E1C7D7646E2336 | SHA256:54EAB1CAE4870171361CEE57FA6C07FDE95658BC3430F0098D23CD9497B2DA31 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\hidcon.exe | executable | |
MD5:B2DADAB18C318443301D0087CD7200BA | SHA256:B88A4D442BCD94457FC75DC5A541DC3437FD01091A2B6500569C699260E65238 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\ospprearm.exe | executable | |
MD5:7FFAE006610A85317FBB092A2D65D1A9 | SHA256:F10ACD6E32BC4D7CC74FEB9E84FEC18A77AEB2838EBF2AA7E3280BA1C7F3FCA2 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\choice.exe | executable | |
MD5:A704D22D57B62553E27AD261276B0625 | SHA256:5632B9495ED595712EB7DFAD4E6D166A70B68FD3AF2F7D72BEFF57AF2385F7E6 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\autorun.exe | executable | |
MD5:9F5DB165601843001DD313C6C2840DB9 | SHA256:17FE65695D275A85977B697FA98CE77A07C006E7744240EB7BBF365CE0BF9074 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\hs_message.exe | executable | |
MD5:2B9C47FACB47D3C88E988ADBB91C2AFF | SHA256:F2020BD17B437FAB6224D108DE3BF19B98215043ECB2A7F9D02142289D8E8E50 | |||
| 3060 | autorun.exe | C:\Users\admin\AppData\Local\Temp\apmB479.tmp | — | |
MD5:— | SHA256:— | |||
| 3060 | autorun.exe | C:\Users\admin\AppData\Local\Temp\apmB47A.tmp | — | |
MD5:— | SHA256:— | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\PortQry.exe | executable | |
MD5:C6AC67F4076CA431ACC575912C194245 | SHA256:FB6CEBADD49D202C8C7B5CDD641BD16AAC8258429E8FACE365A94BD32E253B00 | |||
| 1920 | mini-kms_activator_v1 2_office2010_vl_eng.exe | C:\Users\admin\AppData\Local\Temp\A342.tmp\KMService.exe | executable | |
MD5:BCA43E19E7013331D99FF788EA6B42A0 | SHA256:B075602CF6BCB3284C44A640DAFFA49CC5AA8F469A20E4B242F2DDE85FCB4DBE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report