87c44dc08a84f171306e12a0c94547cf9540d782c7c5461a0815067a2ab0e130

General

Target

00900090KN.exe
Size

529KB
MD5

aaf17abfdde05c49c802f36152e7332f
SHA1

96cb10637d94c28163b390d11a43a2ece002d5f0
SHA256

16c87c40706e8c0eee97f32fccac2fa229961b13d266e011ce411d37b864dafa
SHA512

d93fe97db4fe0ba40fc53996e01c3f72e184f3646d630064ba23f718c1f3e7e8bad78078772924147262551e8ab686ac3ef46af98ccb39cd68f1c98f82f4f5b3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	00900090KN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	00900090KN.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
572	00900090KN.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 288	572	00900090KN.exe	31
PID 572 wrote to memory of 288	572	00900090KN.exe	31
PID 572 wrote to memory of 288	572	00900090KN.exe	31
PID 572 wrote to memory of 288	572	00900090KN.exe	31
PID 572 wrote to memory of 288	572	00900090KN.exe	31

C:\Users\Admin\AppData\Local\Temp\00900090KN.exe
"C:\Users\Admin\AppData\Local\Temp\00900090KN.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\00900090KN.exe
  "C:\Users\Admin\AppData\Local\Temp\00900090KN.exe"
  2⤵
  PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/572-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/572-61-0x0000000003B90000-0x0000000003B92000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing