Analysis
-
max time kernel
119s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-11-2021 16:36
Static task
static1
Behavioral task
behavioral1
Sample
166fd7b7965859e1a19623771f8fee09.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
166fd7b7965859e1a19623771f8fee09.exe
Resource
win10-en-20211104
General
-
Target
166fd7b7965859e1a19623771f8fee09.exe
-
Size
6.8MB
-
MD5
166fd7b7965859e1a19623771f8fee09
-
SHA1
f9f9846d360e4439b67090cabb6e729eb089bf81
-
SHA256
2a0bd6197d381f1e0d5fb74425b6d1c60d9f9b107eef5c91b3a8f7b91114d732
-
SHA512
e1500d76794971e6e900834d6d47a90ce37f0abf2b341401d7e4aefcf567e87579001ea6bfff1076a5f0ce98f1a63e030c5ccdbabe4acc45fbe4ba29ac3a0fe1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
kmgaw.exepid process 1292 kmgaw.exe -
Processes:
resource yara_rule behavioral1/memory/268-55-0x000000013FC50000-0x00000001409FA000-memory.dmp vmprotect C:\Windows\kmgaw.exe vmprotect C:\Windows\kmgaw.exe vmprotect behavioral1/memory/1292-64-0x000000013F760000-0x000000014050D000-memory.dmp vmprotect C:\Windows\winsdk.exe vmprotect -
Drops file in System32 directory 8 IoCs
Processes:
kmgaw.exe166fd7b7965859e1a19623771f8fee09.exedescription ioc process File opened for modification C:\Windows\System32\vcruntime140d.dll kmgaw.exe File created C:\Windows\System32\msvcp140d.dll 166fd7b7965859e1a19623771f8fee09.exe File created C:\Windows\System32\ucrtbased.dll 166fd7b7965859e1a19623771f8fee09.exe File created C:\Windows\System32\vcruntime140_1d.dll 166fd7b7965859e1a19623771f8fee09.exe File created C:\Windows\System32\vcruntime140d.dll 166fd7b7965859e1a19623771f8fee09.exe File opened for modification C:\Windows\System32\msvcp140d.dll kmgaw.exe File opened for modification C:\Windows\System32\ucrtbased.dll kmgaw.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll kmgaw.exe -
Drops file in Windows directory 3 IoCs
Processes:
166fd7b7965859e1a19623771f8fee09.exekmgaw.exedescription ioc process File created C:\Windows\kmgaw.exe 166fd7b7965859e1a19623771f8fee09.exe File opened for modification C:\Windows\winsdk.exe kmgaw.exe File created C:\Windows\winsdk.exe 166fd7b7965859e1a19623771f8fee09.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
166fd7b7965859e1a19623771f8fee09.exekmgaw.exepid process 268 166fd7b7965859e1a19623771f8fee09.exe 1292 kmgaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
166fd7b7965859e1a19623771f8fee09.exedescription pid process target process PID 268 wrote to memory of 1048 268 166fd7b7965859e1a19623771f8fee09.exe cmd.exe PID 268 wrote to memory of 1048 268 166fd7b7965859e1a19623771f8fee09.exe cmd.exe PID 268 wrote to memory of 1048 268 166fd7b7965859e1a19623771f8fee09.exe cmd.exe PID 268 wrote to memory of 1292 268 166fd7b7965859e1a19623771f8fee09.exe kmgaw.exe PID 268 wrote to memory of 1292 268 166fd7b7965859e1a19623771f8fee09.exe kmgaw.exe PID 268 wrote to memory of 1292 268 166fd7b7965859e1a19623771f8fee09.exe kmgaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\166fd7b7965859e1a19623771f8fee09.exe"C:\Users\Admin\AppData\Local\Temp\166fd7b7965859e1a19623771f8fee09.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\kmgaw.exeC:\\Windows\\kmgaw.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC94CCU5\filecoder[1].htmMD5
10b9e801cb7b30401cc3c85f7ddbb9c5
SHA1ba3eac18811cf6be7771c86a59bbab66558f6d49
SHA2563c0ab4292cda5730bef1a8cfab5f3284c62a9d1a883338b67bd4a65327d60a23
SHA512d44cfc70fae206b3ae9095404313efc2464931d86e87b1bb9e3523d2d5684c31798dd0da08b56400a2b522bfad19186744042ed12d64145336046e4beb149309
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC94CCU5\vcruntime140d[1].dllMD5
01eee7747651c32df22680c4f7ca9857
SHA120e509d36bce300aae0496a683fb7324a0d6302b
SHA2562fbd0ef78ccc3e77b6275bb8fc679acff23bbb1ed19bc8821276fdc84dc74c4c
SHA5128d89f7cf555cef73f9d3c2d559634491d7046d8f98cf4484d86579ba359d5631338d247bf79fb8f6e436cba13545264aa682fbfafc0783dde3d7e1406d83eb87
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MWR70CEF\ucrtbased[1].dllMD5
7873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\msvcp140d[1].dllMD5
c4e2cff696a676129944a37fded935aa
SHA142e2e911c26bb302d07dcdfdfa084bfcffdcb66d
SHA2562d9b2fb5e53666a2225c9c5dd7226754c4cde4f621f1da6e5dc34df718225c15
SHA512359ceda3b1d769cbbe1ba03dddf7d2ab211dc2f1dfb3cde6e46da23e509b7473e922424fe212ae50865622f191b45de69fad43c086d6a964a53403ceb0529626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\rustversion[1].htmMD5
4fb437564892944d73f87c822342e2bb
SHA1e2607f6b788649e033ce30e1a047bf49c1f5fe91
SHA2569c7f38a9ac4f5de592be486948ac944aff688f914e3b74e6917c7fe4715a561e
SHA512d25242168ab59b74af156f7f6e10059ef1aad93bae2f9be54f8cae8320de04af20333050d5d259861d74bd69b2d694cd935890a253aa1f3343fbeafa3c496564
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\vcruntime140_1d[1].dllMD5
34dd0b914a497cb7449ce24825ced03c
SHA1c22f8e7d16c2110f18886a2ac86fff12cebd3bf2
SHA25669b33c529c39f69d6a82958a7c49b8fc1fd5421e35ef2ac5ecc83a394220021f
SHA512b0651f43dfd2bd5b68daf387421a31e2667ad10f904696ec433cfba7ccde191dee0271ad00effbff348b5e4e900857009ac5762ed272fb9a6bf174ba6fc3ccd7
-
C:\Windows\System32\msvcp140d.dllMD5
c4e2cff696a676129944a37fded935aa
SHA142e2e911c26bb302d07dcdfdfa084bfcffdcb66d
SHA2562d9b2fb5e53666a2225c9c5dd7226754c4cde4f621f1da6e5dc34df718225c15
SHA512359ceda3b1d769cbbe1ba03dddf7d2ab211dc2f1dfb3cde6e46da23e509b7473e922424fe212ae50865622f191b45de69fad43c086d6a964a53403ceb0529626
-
C:\Windows\System32\ucrtbased.dllMD5
7873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
C:\Windows\System32\vcruntime140_1d.dllMD5
34dd0b914a497cb7449ce24825ced03c
SHA1c22f8e7d16c2110f18886a2ac86fff12cebd3bf2
SHA25669b33c529c39f69d6a82958a7c49b8fc1fd5421e35ef2ac5ecc83a394220021f
SHA512b0651f43dfd2bd5b68daf387421a31e2667ad10f904696ec433cfba7ccde191dee0271ad00effbff348b5e4e900857009ac5762ed272fb9a6bf174ba6fc3ccd7
-
C:\Windows\System32\vcruntime140d.dllMD5
01eee7747651c32df22680c4f7ca9857
SHA120e509d36bce300aae0496a683fb7324a0d6302b
SHA2562fbd0ef78ccc3e77b6275bb8fc679acff23bbb1ed19bc8821276fdc84dc74c4c
SHA5128d89f7cf555cef73f9d3c2d559634491d7046d8f98cf4484d86579ba359d5631338d247bf79fb8f6e436cba13545264aa682fbfafc0783dde3d7e1406d83eb87
-
C:\Windows\kmgaw.exeMD5
6f1df5d4075dc8499a505a20afe7a8b4
SHA1e3086fbed24b25a396f757144a6efb2fa1082574
SHA256fb2604c4774fabb3c38cdaa40c46cde673cb98ac2bd58c46fc9a447849aaffb7
SHA51210b9ffdfae90693d6a00055775e89f3a5928df5243c2d1be6cb9c45ca1b24308c03ec69e0c1cdfe1dbd77705b74c03827f00dc41923aecd11e1adf709d62df6b
-
C:\Windows\kmgaw.exeMD5
6f1df5d4075dc8499a505a20afe7a8b4
SHA1e3086fbed24b25a396f757144a6efb2fa1082574
SHA256fb2604c4774fabb3c38cdaa40c46cde673cb98ac2bd58c46fc9a447849aaffb7
SHA51210b9ffdfae90693d6a00055775e89f3a5928df5243c2d1be6cb9c45ca1b24308c03ec69e0c1cdfe1dbd77705b74c03827f00dc41923aecd11e1adf709d62df6b
-
C:\Windows\winsdk.exeMD5
c5e15614f39c521702d24b7fd44ca434
SHA1d179a08ecd42e5ebf230e93de7518d952a566b1c
SHA256cd28c77b3e9401d38387cd2e5e1ba5771e304a7586adf67f3f02c9582879ac8f
SHA512b90599ca3a9cdf5da4686b76e5fc39a555ee413d57f7af9501517b70bd48496bfb4c61822c6d7009a31154d7adbb3f11ad881b57e25b56c4f1bc23e12ea1cb33
-
memory/268-55-0x000000013FC50000-0x00000001409FA000-memory.dmpFilesize
13.7MB
-
memory/268-59-0x0000000077B20000-0x0000000077B22000-memory.dmpFilesize
8KB
-
memory/1048-60-0x0000000000000000-mapping.dmp
-
memory/1292-61-0x0000000000000000-mapping.dmp
-
memory/1292-67-0x0000000077B20000-0x0000000077B22000-memory.dmpFilesize
8KB
-
memory/1292-64-0x000000013F760000-0x000000014050D000-memory.dmpFilesize
13.7MB