| File name: | kms.exe |
| Full analysis: | https://app.any.run/tasks/6aaae4f5-b8c6-43ee-9a58-3bdb4bef0bd5 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 28, 2024, 17:58:34 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 19 sections |
| MD5: | 9FE3ACDA06AB3679BADF59723CFFBAB9 |
| SHA1: | 23F0F5D52339344557AAA3B3B7301057E89276C6 |
| SHA256: | 8A032071C4CF1395D4753296A9591590E68E89E32105B4DECCF737B17B6D64CD |
| SSDEEP: | 384:w/JQz/o8wwNSKhXG4QchYsvwV3GKeGKPPPPXLTKpf64M4fCSwFn5PpQ/YDi2WA:ij1sXGcYKKxVpCAqr5PpQ/YDhWA |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 6044)
- powershell.exe (PID: 6736)
- powershell.exe (PID: 5828)
- powershell.exe (PID: 3836)
Changes powershell execution policy (Bypass)
- kms.exe (PID: 1112)
- powershell.exe (PID: 6044)
XORed URL has been found (YARA)
- kms.exe (PID: 1112)
Starts NET.EXE for service management
- net.exe (PID: 7120)
- net.exe (PID: 1700)
- powershell.exe (PID: 5828)
Uses NET.EXE to stop Windows Update service
- net.exe (PID: 7120)
- powershell.exe (PID: 5828)
SUSPICIOUS
Possibly malicious use of IEX has been detected
- kms.exe (PID: 1112)
- powershell.exe (PID: 6044)
The process bypasses the loading of PowerShell profile settings
- kms.exe (PID: 1112)
- powershell.exe (PID: 6044)
Starts POWERSHELL.EXE for commands execution
- kms.exe (PID: 1112)
- powershell.exe (PID: 6044)
Application launched itself
- powershell.exe (PID: 6044)
The process executes VB scripts
- powershell.exe (PID: 6736)
Executable content was dropped or overwritten
- powershell.exe (PID: 3836)
Modifies existing scheduled task
- schtasks.exe (PID: 4348)
- schtasks.exe (PID: 5084)
Uses REG/REGEDIT.EXE to modify registry
- powershell.exe (PID: 5828)
Uses WEVTUTIL.EXE to cleanup log
- powershell.exe (PID: 5828)
Connects to unusual port
- SppExtComObj.Exe (PID: 1712)
Starts SC.EXE for service management
- powershell.exe (PID: 5828)
Uses powercfg.exe to modify the power settings
- powershell.exe (PID: 5828)
INFO
Checks supported languages
- kms.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:10:08 02:59:32+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 2.42 |
| CodeSize: | 10240 |
| InitializedDataSize: | 22528 |
| UninitializedDataSize: | 512 |
| EntryPoint: | 0x10f6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
178
Monitored processes
51
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 512 | "C:\WINDOWS\system32\reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | "C:\WINDOWS\system32\cscript.exe" C:\WINDOWS\system32\slmgr.vbs /ato | C:\Windows\System32\cscript.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 624 | "C:\WINDOWS\system32\bcdedit.exe" /set nointegritychecks on | C:\Windows\System32\bcdedit.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 764 | "C:\WINDOWS\system32\cscript.exe" C:\WINDOWS\system32\slmgr.vbs /skms kms8.msguides.com | C:\Windows\System32\cscript.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1112 | "C:\Users\admin\Desktop\kms.exe" | C:\Users\admin\Desktop\kms.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1700 | "C:\WINDOWS\system32\net.exe" stop WaaSMedicSvc | C:\Windows\System32\net.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1712 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | svchost.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2272 | "C:\WINDOWS\system32\reg.exe" add HKLM\System\CurrentControlSet\Control\Lsa /v LsaCfgFlags /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2464 | "C:\WINDOWS\system32\sc.exe" config WaaSMedicSvc start= disabled | C:\Windows\System32\sc.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3276 | C:\WINDOWS\system32\net1 stop WaaSMedicSvc | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
31 627
Read events
31 604
Write events
17
Delete events
6
Modification events
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | OneDrive |
Value: "C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background | |||
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A |
Value: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start | |||
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Skype for Desktop |
Value: C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe | |||
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | CCleaner Smart Cleaning |
Value: "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR | |||
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | SoundMan |
Value: SOUNDMAN.EXE | |||
| (PID) Process: | (6044) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | SunJavaUpdateSched |
Value: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe | |||
| (PID) Process: | (624) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{7bcdbaa8-85a9-11eb-90a8-9a9b76358421}\Elements\16000048 |
| Operation: | write | Name: | Element |
Value: 01 | |||
| (PID) Process: | (6284) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations |
| Operation: | write | Name: | LowRiskFileTypes |
Value: .exe | |||
| (PID) Process: | (512) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ValidateAdminCodeSignatures |
Value: 0 | |||
| (PID) Process: | (3848) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection |
| Operation: | write | Name: | AllowTelemetry |
Value: 0 | |||
Executable files
1
Suspicious files
1
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fe1s4pik.1io.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5828 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4p0nsbsj.dq5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6044 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:FD2FF614BBD296DB656E81D6693F4B59 | SHA256:B88225191506F67081C9A8BB444138AE8C29177E9494DAE2C5B70C6291D9698B | |||
| 6044 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1i1pswim.uis.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6736 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y5fwotyn.sog.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6044 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pgn5fqxg.sne.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5eyrov5v.sim.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6736 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bs12hbbr.oz5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3836 | powershell.exe | C:\Windows\System32\spoolsvLegacy.exe | executable | |
MD5:250EB135085C2FBC8A669EB3B7704C79 | SHA256:5ADDA9D38D16BA87F9B32AE24C910546E94C5887E612BBAD0E2E0E88E5656188 | |||
| 5828 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4e4zr4e3.kf3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
29
DNS requests
9
Threats
17
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1752 | RUXIMICS.exe | GET | 200 | 23.48.23.177:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1752 | RUXIMICS.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.91.76.224:443 | https://validation-v2.sls.microsoft.com/SLWGA/slwga.asmx | unknown | xml | 52.4 Kb | whitelisted |
— | — | GET | 200 | 35.173.69.207:443 | https://myfirstprojectpython03.pythonanywhere.com/static/c.png | unknown | text | 3.53 Kb | whitelisted |
— | — | GET | 200 | 35.173.69.207:443 | https://myfirstprojectpython03.pythonanywhere.com/static/a.png | unknown | text | 1.67 Kb | whitelisted |
— | — | GET | 200 | 35.173.69.207:443 | https://myfirstprojectpython03.pythonanywhere.com/static/b.png | unknown | text | 2.97 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1752 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1752 | RUXIMICS.exe | 23.48.23.177:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6944 | svchost.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
myfirstprojectpython03.pythonanywhere.com |
| whitelisted |
kms8.msguides.com |
| unknown |
validation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Observed HTTP Request to *.pythonanywhere .com Domain |
— | — | Potentially Bad Traffic | ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers |
— | — | Misc activity | ET INFO Observed HTTP Request to *.pythonanywhere .com Domain |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Observed HTTP Request to *.pythonanywhere .com Domain |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Observed HTTP Request to *.pythonanywhere .com Domain |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
1 ETPRO signatures available at the full report