cryptbot | ea8b966254f89ce69425210fec17037d47b68f5ebb5e6b40c408f28d3900bd0b

Resubmissions

23-06-2024 14:21

240623-rpelzstfpc 10

23-06-2024 14:17

240623-rlz4hsxekp 10

23-06-2024 14:14

240623-rj5k8atekh 3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

КМSрiсо.exe
Size

9.3MB
MD5

9a82eec3b97942751c99fe42a8699cdf
SHA1

62fa4445db34eac1e333af921454357704496261
SHA256

ea8b966254f89ce69425210fec17037d47b68f5ebb5e6b40c408f28d3900bd0b
SHA512

ad3b16ca24d29e1f9be6cdae9744cdd065a8f4545468aeaa99509b5c08a28b16d7c846978b71f60fe54d17b770af24529ba261133f02155048b45b7e0a79c246
SSDEEP

196608:hbCPcnPEu6Bqimbj+P6EDTvLhe8dYoANmvP2WNChdb+WRTBl:hWrmb0vTvLnhmWkK+TBl

Score

10^/10

cryptbot discovery evasion execution persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

cryptbot

xokecn54.top

morekt05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeSetup1.exeIntelRapid.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelRapid.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

KMSELDI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	KMSELDI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe"	KMSELDI.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

КМSрiсо.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation КМSрiсо.exe
Drops startup file 1 IoCs

Processes:

Setup1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk Setup1.exe
Executes dropped EXE 7 IoCs

Processes:

Setup.exeKMSpico.exeSetup1.exeKMSpico.tmpIntelRapid.exeUninsHs.exeKMSELDI.exe

pid process

4076 Setup.exe
4452 KMSpico.exe
4540 Setup1.exe
3124 KMSpico.tmp
1992 IntelRapid.exe
3244 UninsHs.exe
4576 KMSELDI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	КМSрiсо.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	Setup1.exe

pid	process
4076	Setup.exe
4452	KMSpico.exe
4540	Setup1.exe
3124	KMSpico.tmp
1992	IntelRapid.exe
3244	UninsHs.exe
4576	KMSELDI.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Program Files (x86)\folder1\Setup.exe	themida
C:\Program Files (x86)\folder1\Setup1.exe	themida
behavioral2/memory/4076-27-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/4076-36-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/4076-37-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/4076-41-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/4540-45-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp	themida
behavioral2/memory/4540-46-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp	themida
behavioral2/memory/4540-44-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp	themida
behavioral2/memory/4076-40-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/4540-39-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp	themida
behavioral2/memory/1992-167-0x00007FF651510000-0x00007FF651E34000-memory.dmp	themida
behavioral2/memory/4540-166-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp	themida
behavioral2/memory/1992-175-0x00007FF651510000-0x00007FF651E34000-memory.dmp	themida
behavioral2/memory/1992-176-0x00007FF651510000-0x00007FF651E34000-memory.dmp	themida
behavioral2/memory/1992-177-0x00007FF651510000-0x00007FF651E34000-memory.dmp	themida
behavioral2/memory/4076-707-0x00000000005E0000-0x0000000000CBE000-memory.dmp	themida
behavioral2/memory/1992-1028-0x00007FF651510000-0x00007FF651E34000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\KMSpico\UninsHs.exe	upx
behavioral2/memory/3244-956-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/3244-959-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup1.exeIntelRapid.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops file in System32 directory 3 IoCs

Processes:

KMSpico.tmp

description	ioc	process
File created	C:\Windows\system32\is-ETO9U.tmp	KMSpico.tmp
File created	C:\Windows\system32\is-7JM0K.tmp	KMSpico.tmp
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	KMSpico.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Setup.exeSetup1.exeIntelRapid.exe

pid process

4076 Setup.exe
4540 Setup1.exe
1992 IntelRapid.exe

pid	process
4076	Setup.exe
4540	Setup1.exe
1992	IntelRapid.exe

Drops file in Program Files directory 64 IoCs

Processes:

KMSpico.tmpKMSELDI.exeКМSрiсо.exe

description	ioc	process
File created	C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-BC3KD.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\driver\is-SGF6G.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-Q43G3.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-E7TVN.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-82Q7S.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-KL3IQ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\DM.bin	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-NJ2H8.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-D169L.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Core\is-1EA4H.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\Enterprise\is-MSGK6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-E6TUK.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-L0PVB.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\logs\is-7HA92.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-J5A03.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-39D4H.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-0VBS6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-DLBO2.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-5S9M3.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-K94R1.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-JDL57.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\logs\is-FPUEO.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-3LR68.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-PRSCL.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-M8LLC.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-MJHJV.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-F592F.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-KLER6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-0696E.tmp	KMSpico.tmp
File opened for modification	C:\Program Files (x86)\folder1\Setup.exe	КМSрiсо.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-U80PS.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-INRBU.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-95NC5.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-2KDIG.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-N14MH.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Word\is-CP2NJ.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-G4B81.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CCPHM.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-E0QH6.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-VP314.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-2PLN0.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-T6QLF.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-O1MS4.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-NKF7N.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-6T90P.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-Q0CV9.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-5F7I2.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-OR7U5.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-O3ULV.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-VM9BU.tmp	KMSpico.tmp
File opened for modification	C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-A0VH1.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\TokensBackup\Windows\data.dat	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-J38GV.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\is-4A251.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\scripts\is-V7PLE.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\sounds\is-ETBEH.tmp	KMSpico.tmp
File opened for modification	C:\Program Files (x86)\folder1	КМSрiсо.exe
File created	C:\Program Files\KMSpico\cert\kmscert2016\ProjectPro\is-441GO.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\is-G8QGG.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\EmbeddedIndustry\is-EUD9D.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\is-U7CNS.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-IUT2B.tmp	KMSpico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-NP4PI.tmp	KMSpico.tmp

Drops file in Windows directory 2 IoCs

Processes:

KMSELDI.exe

description ioc process

File created C:\Windows\SECOH-QAD.dll KMSELDI.exe
File created C:\Windows\SECOH-QAD.exe KMSELDI.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3880 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SECOH-QAD.dll	KMSELDI.exe
File created	C:\Windows\SECOH-QAD.exe	KMSELDI.exe

pid	process
3880	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

KMSpico.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	KMSpico.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	KMSpico.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4348 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1992 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exeKMSpico.tmp

pid process

4076 Setup.exe
4076 Setup.exe
3124 KMSpico.tmp
3124 KMSpico.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

KMSpico.tmp

pid process

3124 KMSpico.tmp

pid	process
4348	schtasks.exe

pid	process
1992	IntelRapid.exe

pid	process
4076	Setup.exe
4076	Setup.exe
3124	KMSpico.tmp
3124	KMSpico.tmp

pid	process
3124	KMSpico.tmp

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

КМSрiсо.exeKMSpico.exeSetup1.exeKMSpico.tmpcmd.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 4076	1580	КМSрiсо.exe	Setup.exe
PID 1580 wrote to memory of 4076	1580	КМSрiсо.exe	Setup.exe
PID 1580 wrote to memory of 4076	1580	КМSрiсо.exe	Setup.exe
PID 1580 wrote to memory of 4452	1580	КМSрiсо.exe	KMSpico.exe
PID 1580 wrote to memory of 4452	1580	КМSрiсо.exe	KMSpico.exe
PID 1580 wrote to memory of 4452	1580	КМSрiсо.exe	KMSpico.exe
PID 1580 wrote to memory of 4540	1580	КМSрiсо.exe	Setup1.exe
PID 1580 wrote to memory of 4540	1580	КМSрiсо.exe	Setup1.exe
PID 4452 wrote to memory of 3124	4452	KMSpico.exe	KMSpico.tmp
PID 4452 wrote to memory of 3124	4452	KMSpico.exe	KMSpico.tmp
PID 4452 wrote to memory of 3124	4452	KMSpico.exe	KMSpico.tmp
PID 4540 wrote to memory of 1992	4540	Setup1.exe	IntelRapid.exe
PID 4540 wrote to memory of 1992	4540	Setup1.exe	IntelRapid.exe
PID 3124 wrote to memory of 1340	3124	KMSpico.tmp	cmd.exe
PID 3124 wrote to memory of 1340	3124	KMSpico.tmp	cmd.exe
PID 3124 wrote to memory of 3816	3124	KMSpico.tmp	cmd.exe
PID 3124 wrote to memory of 3816	3124	KMSpico.tmp	cmd.exe
PID 3124 wrote to memory of 3244	3124	KMSpico.tmp	UninsHs.exe
PID 3124 wrote to memory of 3244	3124	KMSpico.tmp	UninsHs.exe
PID 3124 wrote to memory of 3244	3124	KMSpico.tmp	UninsHs.exe
PID 3124 wrote to memory of 4576	3124	KMSpico.tmp	KMSELDI.exe
PID 3124 wrote to memory of 4576	3124	KMSpico.tmp	KMSELDI.exe
PID 3816 wrote to memory of 4348	3816	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 4348	3816	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 3880	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 3880	1340	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe
"C:\Users\Admin\AppData\Local\Temp\КМSрiсо.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Program Files (x86)\folder1\Setup.exe
"C:\Program Files (x86)\folder1\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Program Files (x86)\folder1\KMSpico.exe
"C:\Program Files (x86)\folder1\KMSpico.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\is-O5U3I.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O5U3I.tmp\KMSpico.tmp" /SL5="$1C002E,2952592,69120,C:\Program Files (x86)\folder1\KMSpico.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\sc.exe
sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
5⤵
- Launches sc.exe
PID:3880

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\schtasks.exe
SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Program Files\KMSpico\UninsHs.exe
"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\folder1\KMSpico.exe
4⤵
- Executes dropped EXE
PID:3244

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4576

C:\Program Files (x86)\folder1\Setup1.exe
"C:\Program Files (x86)\folder1\Setup1.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\folder1\KMSpico.exe
Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
C:\Program Files (x86)\folder1\Setup.exe
Filesize
2.6MB

MD5
eb2960160f8d4ba6fbda91efc9ff91bc

SHA1
80e599ff8e0e43a30a9edab0eafda30d1bc78f8a

SHA256
e1aa011c4654ad6d4e7aa8752325c3a0a6254439bd26b47bb854aaaf512d1ad6

SHA512
9849d4e692308b9ef364926db3d0848a2992e60750da2cd74bc5691ad0c1a76417a85744a9bda8a43d8064643a0e060685d809d9f199ca2751edfc80c902468f

Download Submit
C:\Program Files (x86)\folder1\Setup1.exe
Filesize
3.4MB

MD5
150be50312a4f6c64f292c5ddc2367ae

SHA1
c3e19926be108631b2497e6c03796fd30df6d557

SHA256
8534e712f977ab6f7caee080f4281fdaf08337f209e92d1dae23bbff80fe6c41

SHA512
2bfaece5af3a6a3fc78da6c9dabae95c5d7a8bc222f3a84531dc4619e671fb7f0ee09a3973cc2d720ed6e16ea38ae67f5937f0cc74b4278576b54c10a4658ee1

Download Submit
C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll
Filesize
5.2MB

MD5
1397b23f30681f97049df61f94f54d05

SHA1
5cb1ce6966e3d6d8b8c398cbd537c814312f194d

SHA256
fa76151a783250014ac8fa55d4c833100a623fcad1d6e2ddadcde259f5709609

SHA512
7d001b5942dad8ce1a83831b5a87f2fa6a1571bc133ce3c1ebe9988a43a7fcefc5cdb7870a6e692ef89fb815cfcff0e9c4b41f24ba0716c6808f190ea3c53535

Download Submit
C:\Program Files\KMSpico\KMSELDI.exe
Filesize
921KB

MD5
f0280de3880ef581bf14f9cc72ec1c16

SHA1
43d348e164c35f9e02370f6f66186fbfb15ae2a3

SHA256
50ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc

SHA512
ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6

Download Submit
C:\Program Files\KMSpico\UninsHs.exe
Filesize
29KB

MD5
245824502aefe21b01e42f61955aa7f4

SHA1
a58682a8aae6302f1c934709c5aa1f6c86b2be99

SHA256
0a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d

SHA512
204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-bridge-office.xrm-ms
Filesize
3KB

MD5
33c1695d278f5917f28067d27b4868ee

SHA1
55137aa9a24d6a622f05315dfbb65fb1a0c74e03

SHA256
65bccc008f5b44d2dbd880c0c33afcfff27c07dd24dc0cc7dda2b3bfa7e9ae74

SHA512
84389ef315ff2f9d86062470ea6033dcb409a3061b898ab677987aa881e2f6d4be1dacc4fad0c606dde6a301f04dfa2f1ff54af86e3a3767ab9bcf6ac368e2f2

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-root-bridge-test.xrm-ms
Filesize
3KB

MD5
c8a546ad00a2f81bd39f23ac1d70b24a

SHA1
cfbb628b1c014d0264536d908f6557dd6a01f4a9

SHA256
f050e6022511f0f16661f82809ba65ab8d912bd9971d3747f6b58f2042a4a921

SHA512
5b5cab22e808835a37fc1f1e17718baca95c03f1659022d51deca23685503cd4313fbf1363385e3f5c404c9958f6b6bd6b4b0efa7c1548113dd46f13f9ba33b0

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-root.xrm-ms
Filesize
3KB

MD5
aee8dc4536129edc9c1df17cb288e3e9

SHA1
13c872ac505add867c944da550e96bc69c8a4165

SHA256
6e058fd0c8a4c2aafac6502de3ea739340917c6e75e6ec26ee60298c01baa826

SHA512
a27811053173d30b56ce85837017305cc2d58a673498e4ef7e562e23147a22ed416e0e4dae9d062064bec77b3cf89e46302807cb2f0022189b88fcc8e31f0124

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-stil.xrm-ms
Filesize
3KB

MD5
072b400f6cbb1123397d1c452740da04

SHA1
5f5615f5840252f4998c1c07ea717dfd7da970cc

SHA256
afe8c45943567e747425f87e43f774c783c07392888078693188882bde1339e3

SHA512
e7b8481e37f5ecc775b1e0e946c22051ff7c2b320c7deecd2fe6ae33b69abb230782ca397e5d799d8863026eee62f331000f7bf5b6f4f5b6614195c78dd2142f

Download Submit
C:\Program Files\KMSpico\cert\kmscert2016\client-issuance-ul-oob.xrm-ms
Filesize
4KB

MD5
582e03b41356083d04ce6191f560092a

SHA1
607b41ac3d642b91655e0af54556f441682acacf

SHA256
d40dbfddc97849f246a397e59187a3f97f70fa1687d578b3dacb92044fd51bea

SHA512
c28f7d286369d8d4f9a9f79ed67912d2390030013ac4e3b549176cff8378ab0c34db37f2bf6712b5d9eb9b06cb7fe72203e85340889e38b85623e1dbb7d33887

Download Submit
C:\Program Files\KMSpico\logs\KMSELDI.log
Filesize
1KB

MD5
94ca4a477c7d0dcdcfc27f0666349c7f

SHA1
dd1a4164bc8f2c5bd4410e947875285cdcef9618

SHA256
1c75c121d53ca12d6e16f43a245ac78bf112c53f654c8cc08cd4fefe7a464139

SHA512
d446a9b4063ed026960d5cacbff0d797b4951177f76d8438c2114c6308cf991eced1424556ec1e2938a03c0504ba9821c8a81bb55fd11d0faa513c617127ed02

Download Submit
C:\Program Files\KMSpico\scripts\Install_Service.cmd
Filesize
213B

MD5
9107cd31951f2cf90e0892740b9087c9

SHA1
efac5c2e59ddef2f0a7782ad1dea8f6b25a07395

SHA256
11578521b14c17fbbb070c13887161586d57196f4d408c41a0f02ed07ee32f2c

SHA512
f6b66dcbbb8aa55793b63f20fc3718038d7c35f94570cf487b6e8393f67be6bd004dd64f3b8fc8345b7e02e2e8ec2d48ceed2494d9f1282ca020dbbaa621f457

Download Submit
C:\Program Files\KMSpico\scripts\Install_Task.cmd
Filesize
220B

MD5
ade709ca6a00370a4a6fea2425f948c1

SHA1
5919c95ef78bd4ab200f8071b98970ff9541a24a

SHA256
5b067073b968361fe489017d173040655f21890605d39cdb012a030dd75b52a8

SHA512
860f9f12bc4995fae7c74481c2b24a346e763e32a782b3826c0f0772ad90be48377faefd883c9a28b221f8476fd203782932fee859b079fb7d4b1b152cce7b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O5U3I.tmp\KMSpico.tmp
Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGxEdgqcyoE\_Files\_Files\CheckpointOut.txt
Filesize
397KB

MD5
8498c4205880ea9e17305b2421ab5737

SHA1
4d5fefc5ac4df2fb8be71fed920d7b1b2706e733

SHA256
6397516feaed3590f7c841856c05ab123760e7c906a87242348a196642bd6aac

SHA512
a7a1388b1647a944796782d6eca6443f6872e80ba991b02557abfb9b55957c3da518a9c2ec0d75171a5df767f3f482df5a8df4109307ddcb9bf4d2d415a81c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGxEdgqcyoE\_Files\_Information.txt
Filesize
7KB

MD5
5981e4cbfb62ad69932b89d2e3ee4ae4

SHA1
e9eda783a8e09f9688722ed0fe58fa86347f887c

SHA256
a308a079a0218b102870f443137471160c2eb23f813a72ff44a70f30e89b16a7

SHA512
1d67c1fd0e09c6511d66baec28c54ce9a83560a24496ccf4319e683d980fdac973a45f1ed727e044b3488a6b8383242f9cf61b7e090124704a16218ea6e67fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGxEdgqcyoE\_Files\_Screen_Desktop.jpeg
Filesize
42KB

MD5
a1f05806d4851d9be57d8ebed098d26f

SHA1
12ad2c394eb8f62acc1b0f38b670db874fcdb6d3

SHA256
6e30c5039de79fea281946670104bd40bf3b5943e3812fabaa749430a1d7db6a

SHA512
9c4bfcb23c11f084ec1b0a8e7705f1f76c875c43f628e7b2c8390068c73ad31c3a896d4c7ffab59c8a0fad78197a8928a86c5714b8c35f9d6cb8b9e225a23620

Download Submit
C:\Windows\System32\Vestris.ResourceLib.dll
Filesize
88KB

MD5
3d733144477cadcf77009ef614413630

SHA1
0a530a2524084f1d2a85b419f033e1892174ab31

SHA256
392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3

SHA512
be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c

Download Submit
memory/1992-177-0x00007FF651510000-0x00007FF651E34000-memory.dmp

Filesize
9.1MB

Download
memory/1992-176-0x00007FF651510000-0x00007FF651E34000-memory.dmp

Filesize
9.1MB

Download
memory/1992-1028-0x00007FF651510000-0x00007FF651E34000-memory.dmp

Filesize
9.1MB

Download
memory/1992-167-0x00007FF651510000-0x00007FF651E34000-memory.dmp

Filesize
9.1MB

Download
memory/1992-175-0x00007FF651510000-0x00007FF651E34000-memory.dmp

Filesize
9.1MB

Download
memory/3124-723-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3244-956-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3244-959-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4076-36-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-41-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-707-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-40-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-33-0x0000000077164000-0x0000000077166000-memory.dmp

Filesize
8KB

Download
memory/4076-27-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4076-37-0x00000000005E0000-0x0000000000CBE000-memory.dmp

Filesize
6.9MB

Download
memory/4452-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4452-710-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4452-32-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4540-45-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp

Filesize
9.1MB

Download
memory/4540-46-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp

Filesize
9.1MB

Download
memory/4540-39-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp

Filesize
9.1MB

Download
memory/4540-166-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp

Filesize
9.1MB

Download
memory/4540-44-0x00007FF7F05C0000-0x00007FF7F0EE4000-memory.dmp

Filesize
9.1MB

Download
memory/4576-967-0x000000001BF70000-0x000000001C4B0000-memory.dmp

Filesize
5.2MB

Download
memory/4576-964-0x0000000000CF0000-0x0000000000DDA000-memory.dmp

Filesize
936KB

Download