Loading ...

Play interactive tourEdit tour

Analysis Report KMS-R@1n.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218154
Start date:26.03.2020
Start time:10:07:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:KMS-R@1n.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 53.8%)
  • Quality average: 38.2%
  • Quality standard deviation: 39.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample is a service DLL but no service has been registered



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsService Execution2Modify Existing Service1Process Injection1Process Injection1Credential DumpingSecurity Software Discovery11Application Deployment SoftwareData from Local SystemData Encrypted11Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaService ExecutionNew Service3New Service3Binary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: KMS-R@1n.exeVirustotal: Detection: 50%Perma Link
Source: KMS-R@1n.exeMetadefender: Detection: 37%Perma Link
Source: KMS-R@1n.exeReversingLabs: Detection: 54%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD1B08 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF683CD1B08
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD13AC CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF683CD13AC
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD14A4 CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF683CD14A4
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD1DD0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_00007FF683CD1DD0
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD1C58 memcpy,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptSetHashParam,CryptHashData,CryptGetHashParam,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,0_2_00007FF683CD1C58

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD13AC CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF683CD13AC
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD14A4 CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF683CD14A4
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD1C58 memcpy,CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptSetHashParam,CryptHashData,CryptGetHashParam,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,0_2_00007FF683CD1C58

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD16A00_2_00007FF683CD16A0
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@2/0@0/0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD30E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF683CD30E4
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD30E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF683CD30E4
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_01
PE file has an executable .text section and no other executable sectionShow sources
Source: KMS-R@1n.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: KMS-R@1n.exeVirustotal: Detection: 50%
Source: KMS-R@1n.exeMetadefender: Detection: 37%
Source: KMS-R@1n.exeReversingLabs: Detection: 54%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\KMS-R@1n.exe 'C:\Users\user\Desktop\KMS-R@1n.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
PE file has a high image base, often used for DLLsShow sources
Source: KMS-R@1n.exeStatic PE information: Image base 0x140000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: KMS-R@1n.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD30E4 EntryPoint,StartServiceCtrlDispatcherW,GetLastError,ExitProcess,ExitProcess,0_2_00007FF683CD30E4

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeAPI coverage: 3.5 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: KMS-R@1n.exe, 00000000.00000002.1111901737.00007FF683CD4000.00000002.00020000.sdmpBinary or memory string: Windows Vista EnterpriseWindows Vista Enterprise NWindows Vista BusinessWindows Vista Business NWindows 7 EnterpriseWindows 7 Enterprise EWindows 7 Enterprise NWindows 7 ProfessionalWindows 7 Professional EWindows 7 Professional NWindows 7 Embedded StandardWindows 7 Thin PCWindows Embedded POSReady 7Windows 8 EnterpriseWindows 8 Enterprise NWindows 8 ProWindows 8 Pro NWindows 8 Pro with MediaCenterWindows 8 CoreWindows 8 Core NWindows 8 Core Country SpecificWindows 8 Core Single LanguageWindows 8 Core ARMWindows 8.1 EnterpriseWindows 8.1 Enterprise NWindows 8.1 ProfessionalWindows 8.1 Professional NWindows Embedded Industry 8.1Windows Embedded IndustryE 8.1Windows Embedded IndustryA 8.1Windows 8.1 Pro with MediaCenterWindows 8.1 CoreWindows 8.1 Core NWindows 8.1 Core Country SpecificWindows 8.1 Core Single LanguageWindows 8.1 Core ARMWindows Web Server 2008Windows HPC Server 2008Windows Server 2008 EnterpriseWindows Server 2008 Enterprise without Hyper-VWindows Server 2008 StandardWindows Server 2008 Standard without Hyper-VWindows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 for Itanium-Based SystemsWindows Web Server 2008 R2Windows HPC Server 2008 R2Windows MultiPoint Server 2011Windows Server 2008 R2 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 DatacenterWindows Server 2008 R2 for Itanium-Based SystemsWindows Server 2012 DatacenterWindows Server 2012 StandardWindows MultiPoint Server 2012 PremiumWindows MultiPoint Server 2012 StandardWindows Server Essentials 2012Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Storage Server 2012 R2Windows Server Essentials 2012 R2Office Professional Plus 2010Office Standard 2010Office Small Business Basics 2010Project Professional 2010Project Standard 2010Visio Premium 2010Visio Professional 2010Visio Standard 2010Access 2010Excel 2010SharePoint Workspace 2010InfoPath 2010OneNote 2010Outlook 2010PowerPoint 2010Publisher 2010Word 2010Office 2013 Professional PlusOffice 2013 StandardProject 2013 ProfessionalProject 2013 StandardVisio 2013 ProfessionalVisio 2013 StandardAccess 2013Excel 2013InfoPath 2013Lync 2013OneNote 2013Outlook 2013PowerPoint 2013Publisher 2013Word 2013WindowsOffice2010Office2013Unknown ProductError: %s failed with code %u (0x%08x)
Source: KMS-R@1n.exeBinary or memory string: fzfpfdfZfLfBf8fWindows Vista EnterpriseWindows Vista Enterprise NWindows Vista BusinessWindows Vista Business NWindows 7 EnterpriseWindows 7 Enterprise EWindows 7 Enterprise NWindows 7 ProfessionalWindows 7 Professional EWindows 7 Professional NWindows 7 Embedded StandardWindows 7 Thin PCWindows Embedded POSReady 7Windows 8 EnterpriseWindows 8 Enterprise NWindows 8 ProWindows 8 Pro NWindows 8 Pro with MediaCenterWindows 8 CoreWindows 8 Core NWindows 8 Core Country SpecificWindows 8 Core Single LanguageWindows 8 Core ARMWindows 8.1 EnterpriseWindows 8.1 Enterprise NWindows 8.1 ProfessionalWindows 8.1 Professional NWindows Embedded Industry 8.1Windows Embedded IndustryE 8.1Windows Embedded IndustryA 8.1Windows 8.1 Pro with MediaCenterWindows 8.1 CoreWindows 8.1 Core NWindows 8.1 Core Country SpecificWindows 8.1 Core Single LanguageWindows 8.1 Core ARMWindows Web Server 2008Windows HPC Server 2008Windows Server 2008 EnterpriseWindows Server 2008 Enterprise without Hyper-VWindows Server 2008 StandardWindows Server 2008 Standard without Hyper-VWindows Server 2008 DatacenterWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 for Itanium-Based SystemsWindows Web Server 2008 R2Windows HPC Server 2008 R2Windows MultiPoint Server 2011Windows Server 2008 R2 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 DatacenterWindows Server 2008 R2 for Itanium-Based SystemsWindows Server 2012 DatacenterWindows Server 2012 StandardWindows MultiPoint Server 2012 PremiumWindows MultiPoint Server 2012 StandardWindows Server Essentials 2012Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Storage Server 2012 R2Windows Server Essentials 2012 R2Office Professional Plus 2010Office Standard 2010Office Small Business Basics 2010Project Professional 2010Project Standard 2010Visio Premium 2010Visio Professional 2010Visio Standard 2010Access 2010Excel 2010SharePoint Workspace 2010InfoPath 2010OneNote 2010Outlook 2010PowerPoint 2010Publisher 2010Word 2010Office 2013 Professional PlusOffice 2013 StandardProject 2013 ProfessionalProject 2013 StandardVisio 2013 ProfessionalVisio 2013 StandardAccess 2013Excel 2013InfoPath 2013Lync 2013OneNote 2013Outlook 2013PowerPoint 2013Publisher 2013Word 2013WindowsOffice2010Office2013Unknown ProductError: %s failed with code %u (0x%08x)
Program exit pointsShow sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeAPI call chain: ExitProcess graph end nodegraph_0-508

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD1388 GetProcessHeap,HeapFree,0_2_00007FF683CD1388
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD2F7C SetServiceStatus,RpcMgmtStopServerListening,0_2_00007FF683CD2F7C
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD26A0 RpcServerListen,memset,wcslen,0_2_00007FF683CD26A0
Source: C:\Users\user\Desktop\KMS-R@1n.exeCode function: 0_2_00007FF683CD24E4 RpcMgmtStopServerListening,0_2_00007FF683CD24E4

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 218154 Sample: KMS-R@1n.exe Startdate: 26/03/2020 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 KMS-R@1n.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KMS-R@1n.exe51%VirustotalBrowse
KMS-R@1n.exe38%MetadefenderBrowse
KMS-R@1n.exe55%ReversingLabsWin64.Hacktool.Hackkms

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Startup

  • System is w10x64
  • KMS-R@1n.exe (PID: 5308 cmdline: 'C:\Users\user\Desktop\KMS-R@1n.exe' MD5: 0F9FD9565E6EB157FA9BE11ED9C1DC9F)
    • conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):5.5315566951223865
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:KMS-R@1n.exe
File size:26112
MD5:0f9fd9565e6eb157fa9be11ed9c1dc9f
SHA1:ffd767312eb98685aec289b97e3768559767ee86
SHA256:7565255f0a28d065f8f30f876e7df3e46ef2e6fedf420eca7d454cf49887b2de
SHA512:d76b375a790271a8d88004e02b827f98afc2cbaaa76d20dc7e3aa9ce7dc1582f125e120950fe84722fc113fc6835cd850cdc513be2d3c488e9f357f14f90835c
SSDEEP:384:MZZVSihTYrDKG0y76D6quhUZaRJUMO0qhrLpEvttZODKkbS6:gS2TYrDKG0y+Ssa0Mbl2DKkbN
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.1.1._E1._E1._E1.^E.._E8..E:._E...E4._E<..E0._E1..E0._E...E0._ERich1._E........................PE..d...4..S.........."......".

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x1400030e4
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x53C4DC34 [Tue Jul 15 07:45:56 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:37f9979aa11c72f8eff85b3b9423a1af

Entrypoint Preview

Instruction
dec esp
mov ebx, esp
dec eax
sub esp, 48h
dec ecx
and dword ptr [ebx-18h], 00000000h
dec ecx
and dword ptr [ebx-10h], 00000000h
dec eax
lea eax, dword ptr [000010A4h]
dec ecx
mov dword ptr [ebx-28h], eax
dec eax
lea eax, dword ptr [FFFFFF81h]
dec ecx
lea ecx, dword ptr [ebx-28h]
dec ecx
mov dword ptr [ebx-20h], eax
call dword ptr [00000F1Bh]
test eax, eax
jne 00007FA8AC720ED1h
call dword ptr [00000FA1h]
mov ecx, eax
call dword ptr [00000FA9h]
int3
xor ecx, ecx
call dword ptr [00000FA0h]
int3
int3
jmp dword ptr [00001050h]
jmp dword ptr [0000103Ah]
jmp dword ptr [00000FF4h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:
  • [RES] VS2013 build 21005
  • [LNK] VS2013 UPD2 build 30501
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x64340x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x478.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000x1ec.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xf0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000x1a0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x21440x2200False0.608226102941data6.16110736871IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x29c60x2a00False0.359840029762data4.37873508028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x70000xb1c0xc00False0.619466145833data5.71199189577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x80000x1ec0x200False0.58984375data3.92434970743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x90000x4780x600False0.346354166667data4.36401962919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xa0000xf00x200False0.408203125data3.2377745709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MESSAGETABLE0x90a00xa0dataEnglishUnited States
RT_MANIFEST0x91400x333XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
msvcrt.dll_errno, wcstoul, _time64, _localtime64, wcslen, _wcsicmp, memcpy, _vsnwprintf, memset, memcmp
KERNEL32.dllCloseHandle, GetLastError, WaitForSingleObject, ExitProcess, HeapAlloc, GetSystemDefaultLCID, FormatMessageW, GetProcessHeap, HeapFree, CreateThread
ADVAPI32.dllCryptReleaseContext, RegisterServiceCtrlHandlerW, RegOpenKeyExW, SetServiceStatus, DeregisterEventSource, RegQueryValueExW, StartServiceCtrlDispatcherW, RegisterEventSourceW, CryptHashData, RegCloseKey, CryptDestroyHash, CryptDecrypt, CryptDestroyKey, CryptCreateHash, CryptEncrypt, CryptImportKey, CryptGenRandom, CryptSetKeyParam, CryptAcquireContextW, CryptGetHashParam, CryptSetHashParam, ReportEventW
RPCRT4.dllRpcServerRegisterIfEx, RpcServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIf, RpcServerUseProtseqEpW, NdrServerCall2

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Start time:10:09:20
Start date:26/03/2020
Path:C:\Users\user\Desktop\KMS-R@1n.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\KMS-R@1n.exe'
Imagebase:0x7ff683cd0000
File size:26112 bytes
MD5 hash:0F9FD9565E6EB157FA9BE11ED9C1DC9F
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

General

Start time:10:09:20
Start date:26/03/2020
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7e5370000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >

    Execution Graph

    Execution Coverage:0.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:26.9%
    Total number of Nodes:234
    Total number of Limit Nodes:1

    Graph

    execution_graph 510 7ff683cd18f4 514 7ff683cd191f 510->514 515 7ff683cd191b 510->515 511 7ff683cd194a 512 7ff683cd17c8 memcpy 511->512 512->515 514->511 516 7ff683cd17c8 514->516 518 7ff683cd17e9 516->518 519 7ff683cd1821 518->519 522 7ff683cd1608 memcpy 518->522 520 7ff683cd1608 memcpy 519->520 521 7ff683cd1829 520->521 523 7ff683cd1628 522->523 523->518 523->523 533 7ff683cd1850 534 7ff683cd1885 533->534 535 7ff683cd1889 memset 533->535 536 7ff683cd189b 535->536 540 7ff683cd1740 536->540 541 7ff683cd1761 540->541 543 7ff683cd1799 541->543 546 7ff683cd15c0 memcpy 541->546 544 7ff683cd15c0 memcpy 543->544 545 7ff683cd17a9 544->545 547 7ff683cd15e5 546->547 547->541 547->547 548 7ff683cd2470 549 7ff683cd249c 548->549 551 7ff683cd2485 548->551 552 7ff683cd23fc 549->552 559 7ff683cd1288 552->559 560 7ff683cd12a6 memcmp 559->560 562 7ff683cd12c7 559->562 561 7ff683cd12bc 560->561 560->562 561->560 561->562 563 7ff683cd1000 562->563 564 7ff683cd104a 563->564 565 7ff683cd102f _vsnwprintf 563->565 566 7ff683cd2938 564->566 565->564 567 7ff683cd296f RegisterEventSourceW 566->567 568 7ff683cd2963 566->568 569 7ff683cd245d 567->569 570 7ff683cd2988 ReportEventW DeregisterEventSource 567->570 568->567 569->551 570->569 589 7ff683cd13ac CryptAcquireContextW 590 7ff683cd13ef CryptImportKey 589->590 591 7ff683cd146d 589->591 590->591 592 7ff683cd141b 590->592 593 7ff683cd147f 591->593 594 7ff683cd1479 CryptDestroyKey 591->594 595 7ff683cd1420 CryptSetKeyParam 592->595 596 7ff683cd1439 592->596 597 7ff683cd1491 593->597 598 7ff683cd1489 CryptReleaseContext 593->598 594->593 595->596 596->591 599 7ff683cd1444 CryptEncrypt 596->599 598->597 599->591 682 7ff683cd3088 RegisterServiceCtrlHandlerW 683 7ff683cd30be 682->683 684 7ff683cd30dd 682->684 685 7ff683cd2f14 SetServiceStatus 683->685 686 7ff683cd30ce 685->686 690 7ff683cd2fe4 686->690 711 7ff683cd2b20 690->711 693 7ff683cd3082 707 7ff683cd2fc0 693->707 694 7ff683cd2f14 SetServiceStatus 695 7ff683cd3009 694->695 744 7ff683cd24f0 RpcServerUseProtseqEpW 695->744 698 7ff683cd2f14 SetServiceStatus 699 7ff683cd301f CreateThread 698->699 700 7ff683cd305b 699->700 701 7ff683cd3046 GetLastError 699->701 703 7ff683cd2f14 SetServiceStatus 700->703 755 7ff683cd2670 701->755 705 7ff683cd3068 WaitForSingleObject CloseHandle 703->705 706 7ff683cd2670 4 API calls 705->706 706->693 708 7ff683cd2fce 707->708 709 7ff683cd2fdc 707->709 710 7ff683cd2f14 SetServiceStatus 708->710 709->684 710->709 712 7ff683cd1000 _vsnwprintf 711->712 713 7ff683cd2b79 RegOpenKeyExW 712->713 714 7ff683cd2bab 713->714 743 7ff683cd2ba4 713->743 758 7ff683cd29d8 RegQueryValueExW 714->758 717 7ff683cd2c24 720 7ff683cd1000 _vsnwprintf 717->720 718 7ff683cd2bef 719 7ff683cd106c 3 API calls 718->719 721 7ff683cd2c20 719->721 720->721 722 7ff683cd29d8 4 API calls 721->722 723 7ff683cd2c69 722->723 724 7ff683cd2ca6 723->724 725 7ff683cd106c 3 API calls 723->725 726 7ff683cd29d8 4 API calls 724->726 725->724 727 7ff683cd2cca 726->727 728 7ff683cd2d07 727->728 729 7ff683cd106c 3 API calls 727->729 730 7ff683cd29d8 4 API calls 728->730 729->728 732 7ff683cd2d29 730->732 733 7ff683cd106c 3 API calls 732->733 734 7ff683cd2dbf RegCloseKey 732->734 762 7ff683cd2a84 RegQueryValueExW 732->762 733->732 735 7ff683cd2dce 734->735 736 7ff683cd2e07 734->736 737 7ff683cd1000 _vsnwprintf 735->737 738 7ff683cd106c 3 API calls 736->738 739 7ff683cd2df6 737->739 740 7ff683cd2e88 738->740 742 7ff683cd2938 3 API calls 739->742 740->739 741 7ff683cd106c 3 API calls 740->741 741->740 742->743 743->693 743->694 745 7ff683cd252a memset wcslen 744->745 746 7ff683cd25b9 RpcServerRegisterIfEx 744->746 749 7ff683cd258a 745->749 747 7ff683cd25e5 memset wcslen 746->747 748 7ff683cd264a 746->748 747->749 750 7ff683cd2938 3 API calls 748->750 751 7ff683cd12e0 4 API calls 749->751 752 7ff683cd25b2 750->752 753 7ff683cd25a3 751->753 752->693 752->698 754 7ff683cd2938 3 API calls 753->754 754->752 756 7ff683cd2938 3 API calls 755->756 757 7ff683cd2685 RpcServerUnregisterIf 756->757 759 7ff683cd2a1e 758->759 761 7ff683cd2a4c 758->761 760 7ff683cd2a25 _errno wcstoul _errno 759->760 759->761 760->761 761->717 761->718 763 7ff683cd2ac5 762->763 763->732 764 7ff683cd1388 GetProcessHeap HeapFree 765 7ff683cd2068 766 7ff683cd1fe0 10 API calls 765->766 767 7ff683cd211e 766->767 774 7ff683cd1f88 memcpy memcpy 767->774 769 7ff683cd2130 775 7ff683cd1a40 769->775 771 7ff683cd214d 783 7ff683cd1364 GetProcessHeap HeapAlloc 771->783 774->769 776 7ff683cd1ab1 775->776 781 7ff683cd1a8d 775->781 777 7ff683cd1ac7 776->777 778 7ff683cd1ab8 memcpy 776->778 780 7ff683cd19b4 memcpy 777->780 778->777 782 7ff683cd1ad9 memcpy 780->782 781->776 784 7ff683cd19b4 781->784 782->771 786 7ff683cd19cb 784->786 785 7ff683cd15c0 memcpy 785->786 786->785 787 7ff683cd1a11 786->787 788 7ff683cd15c0 memcpy 787->788 789 7ff683cd1a21 788->789 507 7ff683cd30e4 StartServiceCtrlDispatcherW 508 7ff683cd3128 ExitProcess 507->508 509 7ff683cd3119 GetLastError ExitProcess 507->509 524 7ff683cd14a4 CryptAcquireContextW 525 7ff683cd14e4 CryptImportKey 524->525 526 7ff683cd1535 524->526 525->526 527 7ff683cd1510 CryptDecrypt 525->527 528 7ff683cd1541 CryptDestroyKey 526->528 529 7ff683cd1547 526->529 527->526 528->529 530 7ff683cd1551 CryptReleaseContext 529->530 531 7ff683cd1559 529->531 530->531 532 7ff683cd24e4 RpcMgmtStopServerListening 571 7ff683cd26a0 RpcServerListen 572 7ff683cd26c5 memset wcslen 571->572 573 7ff683cd274b 571->573 577 7ff683cd12e0 572->577 575 7ff683cd273c 576 7ff683cd2938 3 API calls 575->576 576->573 580 7ff683cd106c 577->580 581 7ff683cd10ac 580->581 582 7ff683cd11a1 _vsnwprintf 581->582 584 7ff683cd1117 581->584 587 7ff683cd1177 FormatMessageW 581->587 583 7ff683cd11bf 582->583 583->584 585 7ff683cd11e5 583->585 586 7ff683cd115f memset 584->586 584->587 585->587 588 7ff683cd11fc memset 585->588 586->587 587->575 588->587 600 7ff683cd2f7c 601 7ff683cd2fa2 600->601 602 7ff683cd2f84 600->602 606 7ff683cd2f14 601->606 602->601 603 7ff683cd2f89 SetServiceStatus 602->603 603->601 607 7ff683cd2f2c SetServiceStatus 606->607 609 7ff683cd21bc 610 7ff683cd21f3 memcpy 609->610 611 7ff683cd220c 609->611 614 7ff683cd2247 610->614 631 7ff683cd1dd0 CryptAcquireContextW 611->631 636 7ff683cd1fe0 614->636 616 7ff683cd2275 639 7ff683cd1f88 memcpy memcpy 616->639 618 7ff683cd2285 619 7ff683cd1dd0 3 API calls 618->619 620 7ff683cd2297 619->620 640 7ff683cd1b08 CryptAcquireContextW 620->640 622 7ff683cd22a5 623 7ff683cd22c0 memcpy memcpy 622->623 624 7ff683cd2341 622->624 649 7ff683cd1bec 623->649 668 7ff683cd1364 GetProcessHeap HeapAlloc 624->668 626 7ff683cd22fd 652 7ff683cd1c58 626->652 632 7ff683cd1e18 631->632 633 7ff683cd1e01 CryptGenRandom 631->633 634 7ff683cd1e33 memcpy 632->634 635 7ff683cd1e2b CryptReleaseContext 632->635 633->632 634->614 635->634 669 7ff683cd1ea0 636->669 639->618 641 7ff683cd1bae 640->641 642 7ff683cd1b51 CryptCreateHash 640->642 645 7ff683cd1bc1 CryptDestroyHash 641->645 646 7ff683cd1bc7 641->646 642->641 643 7ff683cd1b75 CryptHashData 642->643 643->641 644 7ff683cd1b8d CryptGetHashParam 643->644 644->641 645->646 647 7ff683cd1bd1 CryptReleaseContext 646->647 648 7ff683cd1bd9 646->648 647->648 648->622 650 7ff683cd1b08 6 API calls 649->650 651 7ff683cd1c3b memcpy 650->651 651->626 653 7ff683cd1c97 652->653 654 7ff683cd1cc0 CryptAcquireContextW 653->654 655 7ff683cd1caa memcpy 653->655 656 7ff683cd1ce5 CryptImportKey 654->656 658 7ff683cd1d81 654->658 655->654 657