KMSpico is a well-known tool to activate Microsoft’s product, though it has stopped update already and it’s illegal.
And there are lots of repacked version on the Internet, we got a sample which looks a bit more interesting.
This time I want to direct run the sample in Sandboxie.
Like other malicious repacked KMSpico, it drops a malware and run it during installation.
Dropped File Path: “C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe”
It’s a heavily obfuscated .NET-based malware, but it’s not the most important point in this blog post.
So I found the INI file.
A better way to find the hidden script is just using some text editor to highlight some keywords.
This script will download a file and run it with “/VERYSILENT” argument, this argument is widely used by some installers.
X-Sec Antivirus Detection:
Cloud:Trojan.Win32.Dropper(For malicious repacked KMSpico)
Cloud:Trojan.Win32.Generic(For dropped malware)
Cloud:Trojan.Script.Downloader(For dropped script)