| File name: | KMSCleaner.exe |
| Full analysis: | https://app.any.run/tasks/f6c780a6-11aa-4fd8-b2de-2545b60bb740 |
| Verdict: | Malicious activity |
| Analysis date: | October 05, 2023, 16:43:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 13EA767A7BA607744EBEA7409B9F8649 |
| SHA1: | 756B3B1B4FD159256AF48C9C295EBF4A25ADFC21 |
| SHA256: | A6E2CDC0E9426D50BD72D866BFC80E0FBA941EFB3AE6D1C564D409F57D1EB117 |
| SSDEEP: | 12288:VeVpN/j8LwayN3nQ8+T9VToBjW5NQK8D:Vo2wayN3nkT9B0W5Sf |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 3236)
- cmd.exe (PID: 3136)
- cmd.exe (PID: 1736)
- cmd.exe (PID: 2424)
- cmd.exe (PID: 2984)
- cmd.exe (PID: 3472)
Drops the executable file immediately after the start
- KMSCleaner.exe (PID: 3812)
- wzt.dat (PID: 2100)
Application was dropped or rewritten from another process
- wzt.dat (PID: 2100)
- certmgr.exe (PID: 2504)
- certmgr.exe (PID: 3496)
SUSPICIOUS
Uses TASKKILL.EXE to kill process
- KMSCleaner.exe (PID: 3812)
Starts CMD.EXE for commands execution
- KMSCleaner.exe (PID: 3812)
Starts SC.EXE for service management
- cmd.exe (PID: 1488)
- cmd.exe (PID: 2416)
- KMSCleaner.exe (PID: 3812)
- cmd.exe (PID: 2148)
- cmd.exe (PID: 3840)
Drops 7-zip archiver for unpacking
- KMSCleaner.exe (PID: 3812)
Starts application with an unusual extension
- cmd.exe (PID: 3288)
Process drops legitimate windows executable
- wzt.dat (PID: 2100)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 1796)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 1796)
Checks supported languages
- wmpnscfg.exe (PID: 1796)
- KMSCleaner.exe (PID: 3812)
- wzt.dat (PID: 2100)
- certmgr.exe (PID: 3496)
- certmgr.exe (PID: 2504)
Reads Environment values
- KMSCleaner.exe (PID: 3812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (36.1) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (26.2) |
| .exe | | | Win64 Executable (generic) (23.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.5) |
| .exe | | | Win32 Executable (generic) (3.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:11:12 20:40:52+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.5 |
| CodeSize: | 265728 |
| InitializedDataSize: | 327680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1000 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
104
Monitored processes
54
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 592 | "taskkill.exe" /t /f /IM KMSSS.exe | C:\Windows\System32\taskkill.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 980 | "taskkill.exe" /t /f /IM FakeClient.exe | C:\Windows\System32\taskkill.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1192 | schtasks.exe /query /FO LIST /TN Helper | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1432 | "taskkill.exe" /t /f /IM FakeClient2.exe | C:\Windows\System32\taskkill.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1464 | "taskkill.exe" /t /f /IM FakeClient.exe | C:\Windows\System32\taskkill.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1488 | "C:\Windows\System32\cmd.exe" /D /c sc.exe stop KMSEmulator | C:\Windows\System32\cmd.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1488 | "taskkill.exe" /t /f /IM "O16Install.exe" | C:\Windows\System32\taskkill.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1556 | "C:\Windows\System32\cmd.exe" /D /c certmgr.exe -del -c -n wzt -s -r localMachine ROOT | C:\Windows\System32\cmd.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 4294967295 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1592 | "sc.exe" delete WinDivert1.1 | C:\Windows\System32\sc.exe | — | KMSCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1620 | schtasks.exe /query /FO LIST /TN KMSAutoNet | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 580
Read events
3 577
Write events
0
Delete events
3
Modification events
| (PID) Process: | (1796) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C082B23F-52D5-4E00-AA3A-C6159BBBEBD0}\{D02A0711-5151-4132-9900-9307B5EB7C2A} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1796) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C082B23F-52D5-4E00-AA3A-C6159BBBEBD0} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1796) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{2C99786A-D41B-4CCC-9478-259E61B83B20} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2100 | wzt.dat | C:\Windows\Temp\wzt\certmgr.exe | executable | |
MD5:9D4F1124B2D870583268D19317D564AE | SHA256:EBAD2237B3E7CDF65385CCCE5099E82C7EC5080E737C97CE4E542CDBEA8D418D | |||
| 3812 | KMSCleaner.exe | C:\Windows\Temp\wzt.dat | executable | |
MD5:B01604FAF1450485B8ECB696051B576F | SHA256:107AA2B7F34E65BAE0C05A52988988F0C0DE8E975CD725A93EDAD44B2D2468B2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |