| File name: | KMSAuto Net.rar |
| Full analysis: | https://app.any.run/tasks/83b1e41f-6f8c-4c72-9d5c-24d9dad759bd |
| Verdict: | Malicious activity |
| Analysis date: | June 28, 2023, 00:32:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 1EC394F967F49068BA21284D789BD91D |
| SHA1: | E177BF5BE333C3F7FE5E28CCB93BEAE994F07749 |
| SHA256: | C53DDCE9138F83AFED0BA7FFE7CCE3513F921AF073EC3563B8EB6BE9D88044BF |
| SSDEEP: | 49152:K6qw4/6d+gFKTGSD1XmeouuvYFyW5629VxMUA+7abhlyaclgWR:K6qXCdwp2eouqB7nly3R |
MALICIOUS
Application was dropped or rewritten from another process
- KMSAuto Net.exe (PID: 2084)
- KMSAuto Net.exe (PID: 3852)
SUSPICIOUS
Starts CMD.EXE for commands execution
- KMSAuto Net.exe (PID: 2084)
Reads Internet Explorer settings
- KMSAuto Net.exe (PID: 2084)
INFO
The process checks LSA protection
- KMSAuto Net.exe (PID: 2084)
Checks supported languages
- KMSAuto Net.exe (PID: 2084)
Reads the computer name
- KMSAuto Net.exe (PID: 2084)
Reads the machine GUID from the registry
- KMSAuto Net.exe (PID: 2084)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3084)
Creates files or folders in the user directory
- KMSAuto Net.exe (PID: 2084)
Reads Environment values
- KMSAuto Net.exe (PID: 2084)
Reads product name
- KMSAuto Net.exe (PID: 2084)
[YARA] Firewall manipulation strings were found
- KMSAuto Net.exe (PID: 2084)
[YARA] Network interface manipulation strings were found
- KMSAuto Net.exe (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
51
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1648 | cmd /c echo test>>"C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\test.test" | C:\Windows\System32\cmd.exe | — | KMSAuto Net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2084 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\KMSAuto Net.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\KMSAuto Net.exe | WinRAR.exe | ||||||||||||
User: admin Company: MSFree Inc. Integrity Level: HIGH Description: KMSAuto Net Exit code: 0 Version: 1.3.4 Modules
| |||||||||||||||
| 2096 | C:\Windows\System32\cmd.exe /c del /F /Q "test.test" | C:\Windows\System32\cmd.exe | — | KMSAuto Net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2780 | cmd /c md "C:\Users\admin\AppData\Local\MSfree Inc" | C:\Windows\System32\cmd.exe | — | KMSAuto Net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3084 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KMSAuto Net.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3852 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\KMSAuto Net.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\KMSAuto Net.exe | — | WinRAR.exe | |||||||||||
User: admin Company: MSFree Inc. Integrity Level: MEDIUM Description: KMSAuto Net Exit code: 3221226540 Version: 1.3.4 Modules
| |||||||||||||||
Total events
1 267
Read events
1 251
Write events
16
Delete events
0
Modification events
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2084 | KMSAuto Net.exe | C:\Users\admin\AppData\Local\MSfree Inc\kmsauto.ini | text | |
MD5:33C2F031B8C6D6CB29F964A54FEDAA13 | SHA256:54BC7607535F2EC23A258FDD96257B2CE4374705599EF3E09A7B5643B08035E8 | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\KMSAuto Net.exe | executable | |
MD5:11D5507C8770EB6BF95E1924C83955A9 | SHA256:21BDC42D3122301E11F70D0B1968CE3F269DA19EB9EEA7D2D21B1AE606E4E894 | |||
| 1648 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3084.37196\test.test | text | |
MD5:9F06243ABCB89C70E0C331C61D871FA7 | SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2468 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |